On Thu, 6 Jun 2013, Xuri Nagarin wrote:
Well, if you are getting your messages in the CEE format, it would seem to
me to make more sense to invoke the mmjson parsing module to extract all
the fields. That way you aren't doing string searches, you can just do an
if on the particular variable that you are looking for. I would expect this
to be faster once you have a few different filters.
Sorry, logs are in CEF (Common Event Format driven by HP-ArcSight) and not
CEE :)
Ok, doing a quick google search is sayig that these logs are in the format
CEF:Version|Device Vendor|Device Product|Device Version|Signature
ID|Name|Severity|Extension
and as I am understanding, "CEF:" is the programname and everything after the :
is in the message.
Yes, I am following the same approach. I am expanding the filters within a
single rule one by one and keeping an eye on performance metrics on the
host. Is there any documentation about what's better performing in terms of
string comparison within rsyslog?
Is this:
field($msg, 124, 3) == "DNS Trace Log"
better than:
field($msg, 124, 3) startswith "DNS"
??
I am expanding my ruleset this way:
----xxxxxxxxxxxxxxxxxxxxx---------
template(name="cefdynfile" type="string"
string="/var/log/joe/%msg:F,124:2%/%msg:F,124:3%/logfile")
ruleset(name="tcpcef") {
if $syslogtag=="CEF:" then { action (type="omfile" FileOwner="joe"
FileGroup="joe" DirOwner="joe" DirGroup="joe" DirCreateMode="0755"
FileCreateMode="0644" DynaFile="cefdynfile") }
if field($msg, 124, 3) == "ASA" then { action (type="omfwd"
Target="127.0.0.1" Port="5146" Protocol="tcp") stop }
if field($msg, 124, 3) startswith "DNS" then { action (type="omfwd"
Target="127.0.0.1" Port="5161" Protocol="tcp") stop }
----xxxxxxxxxxxxxxxxxxxxx---------
doing field extraction, especially repeated field extraction of the same field
is expensive
do something like
set $!vendor = field($msg, 124, 2)
set $!product = field($msg, 124, 3)
template(name="cefdynfile" type="string"
string="/var/log/joe/%$!vendor%/%$!product%/logfile")
if $!product == "ASA" then {
action (type="omfwd" Target="127.0.0.1" Port="5146" Protocol="tcp")
stop
}
We have some thoughts that would possibly make this even better in the future,
When table lookkups get implemented this would be able to be simplified to:
set $!vendor = field($msg, 124, 2)
set $!product = field($msg, 124, 3)
set $!port = lookup("ports", $!product)
template(name="cefdynfile" type="string"
string="/var/log/joe/%$!vendor%/%$!product%/logfile")
if $syslogtag == "CEF:" then {
action (type="omfile" FileOwner="Joe" FileGroup="joe" DirOwner="joe" DirGroup="joe"
DirCreateMode="0755" FileCreateMode="0644" DynaFile="cefdynfile")
action (type="omfwd" Target="127.0.0.1" Port="$!port" Protocol="tcp")
stop
}
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
