I'm setting up central logging for our servers using syslog-ng
+ patterndb
, however the logs the logging server is receiving from the client are prepended with the date, host and other data. This of course breaks all the patterns in patterndb
so nothing matches.
Is there a way to do some preprocessing on the source log file before attempting to classify it or some other way to overcome this problem?
Cheers.
Relevant client conf:
source s_src {
system();
internal();
};
destination d_central_logging {
syslog(192.168.1.1 transport("tcp") port("12345"));
};
log {
source(s_src);
destination(d_central_logging);
};
Relevant server conf:
parser p_patterndb {
db-parser(file("/var/lib/syslog-ng/patterndb.xml"));
};
source s_network {
tcp(port(12345) flags(syslog-protocol));
};
filter f_class_unknown {
match("unknown"
value(".classifier.class")
type("string")
);
};
destination d_all {
file("/tmp/all");
};
destination d_unknown {
file("/tmp/unknown");
};
log {
source(s_network);
parser(p_patterndb);
log {
filter(f_class_unknown);
destination(d_unknown);
};
log {
destination(d_all);
};
};
EDIT:
original log line:
10.0.2.2 - - [23/Dec/2014:13:42:49 +0000] "GET /assets/favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"
modified log line:
Dec 23 13:59:08 192.168.33.44 264 <13>1 2014-12-23T13:42:50+00:00 devhost 10.0.2.2 - - [meta sequenceId="8"] - - [23/Dec/2014:13:42:49 +0000] "GET /assets/favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36"