I think the : on the end of [Root]system-notification-00257(traffic): is
messing me up
Aug 30 15:58:28 dencfw01.contournetworks.net dencfw01: NetScreen
device_id=dencfw01 [Root]system-notification-00257(traffic):
start_time="2018-08-30 13:58:26" duration=2 policy_id=1623 service=https
proto=6 src zone=private_atm dst zone=Untrust action=Permit sent=136 rcvd=68
src=10.82.8.20 dst=172.217.4.46 src_port=58024 dst_port=443 src-xlated
ip=74.115.157.233 port=49293 dst-xlated ip=172.217.4.46 port=443
session_id=86783 reason=Close - TCP RST
current rule is
rule=:%start_time:date-rfc3164% %host:word% %device:word% %device:word%
%device_id:word% %filler1:char-to:\x3A% %filler2:char-to:\"%
%filler3:char-to:\x20%
I get the results of
{ "originalmsg": "Aug 30 15:58:28 dencfw01.contournetworks.net dencfw01:
NetScreen device_id=dencfw01 [Root]system-notification-00257(traffic):
start_time=\"2018-08-30 13:58:26\" duration=2 policy_id=1623 service=https
proto=6 src zone=private_atm dst zone=Untrust action=Permit sent=136 rcvd=68
src=10.82.8.20 dst=172.217.4.46 src_port=58024 dst_port=443 src-xlated
ip=74.115.157.233 port=49293 dst-xlated ip=172.217.4.46 port=443
session_id=86783 reason=Close - TCP RST", "unparsed-data": ":
start_time=\"2018-08-30 13:58:26\" duration=2 policy_id=1623 service=https
proto=6 src zone=private_atm dst zone=Untrust action=Permit sent=136 rcvd=68
src=10.82.8.20 dst=172.217.4.46 src_port=58024 dst_port=443 src-xlated
ip=74.115.157.233 port=49293 dst-xlated ip=172.217.4.46 port=443
session_id=86783 reason=Close - TCP RST" }
i know \x23 is up to the :
Thank you for the assistance
________________________________
From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of David Lang
<da...@lang.hm>
Sent: Thursday, August 30, 2018 3:22:06 PM
To: rsyslog-users
Subject: Re: [rsyslog] template to parse file and save to database
On Thu, 30 Aug 2018, Jason Prouty wrote:
> I am trying to normalize my firewall log
>
> example
>
> [Root]system-notification-00257(traffic): start_time="2018-08-30 13:58:26"
> duration=2 policy_id=1623 service=https proto=6 src zone=private_atm dst
> zone=Untrust action=Permit sent=136 rcvd=68 src=10.82.8.20
>
>
> when I run the rule I am getting suck on the quotes
>
> "unparsed-data": "\"2018-08-30 13:58:26\" duration=2 policy_id=1623
> service=https proto=6 src zone=private_atm dst zone=Untrust action=Permit
> sent=136 rcvd=68 src=10.82.8.20
>
>
> why does the time quotes show up with the \
that is an artifact of displaying the results in XML, the value of unparsed data
is quoted, since there are quotes in the value itself, they need to be escaped
to be valid XML
you would use quoted word type of do
"%start:char-to:"%"
to match the time
David Lang
>
>
>
> ________________________________
> From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of David Lang
> <da...@lang.hm>
> Sent: Thursday, August 30, 2018 10:12 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] template to parse file and save to database
>
> On Thu, 30 Aug 2018, Jason Prouty wrote:
>
>> would the normalize process allow me to break the message apart to insert
>> fields from the message into a table?
>
> Yes, and when you go to insert individual fields, you will want to adjust the
> template that you use to insert into the database to put the fields where you
> want them in the database.
>
> David Lang
>
>>
>> ________________________________
>> From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of David Lang
>> <da...@lang.hm>
>> Sent: Wednesday, August 29, 2018 6:16:07 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] template to parse file and save to database
>>
>> On Wed, 29 Aug 2018, Jason Prouty wrote:
>>
>>> I am trying to use the msg contains:
>>>
>>> directive to log a specific firewall policy message to a database
>>>
>>> would this be best to do in a template
>>
>> no, all a template does is format the message.
>>
>>> currently I have it going to a flat file but I cannot seem to get it to log
>>> to a mysql database
>>>
>>> :msg, contains, "policy_id=xxxx" /var/log/policyidxxx.log
>>
>> so what you need to do is to look up the output module to put logs into your
>> database and replace the file output with the database insertion.
>>
>> David Lang
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
