Hi,
Thanks for your answer, I solved this yesterday and i thought I share my
findings here in case anyone else have the same need.
Due to the solution looking like this (parsing being made in the client not
the server or application), this is not graylog related directly but highly
indirectly.
When creating the GELF, I put a bash function in the middle of it that
would read all the file paths from this log file. It would then dump it
into an array in which it would create a field name per entry in sequence
for graylog to get.
So the GELF looks like this
...
"_clamav_infected":"1",
'$(FILES)' # Function
...
The function:
/bin/cat ${clamscan_output} | /bin/grep ^/ > $INFECTED
readarray i < $INFECTED
for lines in "${i[@]}"
do
echo '"_clamsav_infected_file_'$NUMBER'":'$i ','
((NUMBER++))
done
With this each file entrie in the logfile will output a new field so it
looks like this when its getting sent:
...
"_clamav_infected":"1",
"_clamsav_infected_file_0":"/path/to/virus virus-name"
"_clamsav_infected_file_1":"/path/to/virus virus-name"
"_clamsav_infected_file_2":"/path/to/virus virus-name"
"_clamsav_infected_file_3":"/path/to/virus virus-name"
...
So if anyone needs to read and send an unknown amounts of entries from a
file into separate fields, this is one solution.
br,
R
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/080a85e3-8780-4c2e-84ca-b89c861971cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
