Hi, looking at the bash snippet you've posted, it should be fairly easy to iterate over the scanned/infected files and create a separate GELF message for each.
If you need to know, which infected files were found by the same scan, you can simply add a unique identifier to the GELF messages (using the same identifier for all infected files found by the same scan). See http://stackoverflow.com/a/19772067, https://unix.stackexchange.com/questions/39473/command-substitution-splitting-on-newline-but-not-space, and http://wiki.bash-hackers.org/commands/builtin/mapfile for some inspiration. Cheers, Jochen On Wednesday, 24 August 2016 13:13:52 UTC+2, ravedog wrote: > > Hi Jochen, > > First of all, thanks again for taking your time. Its very highly > appreciated :) > > Ok sure, from a bash script, the GELF is generated like this: > > FILES=$(/bin/cat /var/log/avscanoutputfile | /bin/grep ^/) > > echo -e '{ > "version": "1.1", > "host":"'${HOSTNAME}'", > "short_message":"Clam AV Scan", > "level":6, > ... #Alot of other customrows that are not > regarding this matter. > "_clamav_infeced_files":"'${FILES}'" > "_clamav_infected":"'${number of infected files}'" > }\0' | nc -w 1 theserver.company.net 12201 > > The avscanoutputfile which is read into FILE var above, looks like this: > > > > > > ------------------------------------------------------------------------------- > > /var/log/syslog.1: Eicar-Test-Signature FOUND > /home/JIMBOB/Desktop/Untitled Document: Eicar-Test-Signature FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 4745906 > Engine version: 0.99 > Scanned directories: 39075 > Scanned files: 209569 > Infected files: 2 > Data scanned: 11207.61 MB > Data read: 891244.70 MB (ratio 0.01:1) > Time: 734.572 sec (12 m 14 s) > > The big issue here is that I need each line (such as /var/log/syslog.1: > Eicar-Test-Signature FOUND) to be a separate field in above GELF. > > Something like: > echo -e '{ > "version": "1.1", > "host":"'${HOSTNAME}'", > "short_message":"Clam AV Scan", > "level":6, > ... #Alot of other customrows that are not > regarding this matter. > "_clamav_infeced_file1":"/var/log/syslog.1: > Eicar-Test-Signature FOUND" > > "_clamav_infeced_file2":"/home/JIMBOB/Desktop/Untitled Document: > Eicar-Test-Signature FOUND" > "_clamav_infected":"'${number of infected files}'" > }\0' | nc -w 1 theserver.company.net 12201 > > The issue here is that i don't know if there is 0 lines that matched the > FILES grep above, or 20. > > I guess this turns out to be more of a bash scripting issue now, but i > really need a reliable way to read each line of that file into a separate > field. > > Any suggestions are highly appreciated. > > Thanks, > R > > (EDIT: all the previous text was included, removed and re added the answer) > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/3896de79-b24f-4da0-b7a7-ef7bf6f3d97e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
