Re: [nxlog-ce-users] NXLog snare format replacing the "0" in a two digit date (Day) with extra space - No parsing between 1-9 of each month

Mon, 22 Jun 2015 15:29:56 -0700 

On 03/06/2015 01:15 PM, Botond Botyanszki wrote:

> Probably many syslog implementations are able to parse it with double
> digits but to not break standards compliance you should be only replacing
> the second, i.e. the value in snare timestamp field.

Well, for those that come along and read this in the archives, I was
able to get it working with the following:

<Output out>
  Module      om_tcp
  Host        1.2.3.4
  Port        514
  # Output to Snare and fix date format bug
  Exec to_syslog_snare();\
  if $raw_event =~
/(\w\w\w\s+[\s|\d]\d\s+\d\d:\d\d:\d\d\s\S+\s\S+\s+\d+\s+\S+\s+\d+\s+\w\w\w\s\w\w\w)(\s\s)(\d\s+\d\d:\d\d:\d\d\s+\d\d\d\d)(.+)/
$raw_event = $1 + " 0" + $3 + $4;
 </Output>

A few notes:
- In the log, there is a space between the Snare "hostname" and "event
log type" fields. If the Snare manual is to be believed, this should be
a tab. Maybe it's another tiny bug in Snare format compatibility.
- I tried putting a ^ like this "if $raw_event =~ /^(" and like this "if
$raw_event =~ /(^" but both seemed to break it. Not sure why I can't
anchor it to the beginning of the line when the regex seems otherwise
correct to me.
- I used s+ instead of tab since it includes tab and since a future
update might fix a space and make it a tab. I think this is one of those
cases where the trade-off in exactness might be worth it (although I
wish the anchor worked)?
- I realize I could have used 3 capturing groups instead of 4, but I
thought it was slightly more readable this way.
- Botond probably has a very elegant way to make this ugliness much
prettier, but I couldn't wait :)

Thanks again for a great product. HTH!

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to