Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

Best Way to Add Properties?

 

 

RSyslog users RSS feed   Index | Next | Previous | View Threaded


vladg at illinois

Mar 26, 2012, 7:49 AM

Post #1 of 2 (188 views)
Permalink
Best Way to Add Properties?

Hello,

We're working on a new input module, to parse Cisco Netflow data. As part of this, we parse out all the relevant pieces of information (source IP, destination IP, etc.), and then recombine them into a string, which then gets passed on. It seems very inefficient to parse out individual pieces, recombine them into a string, and then re-parse it out when we want to use it in a template.

Is there a way for an input or message modification module to add additional properties to each message? Would it be better to write a liblognorm parser? Apart from mmnormalize, are there other modules that do this that we could look at?

Thanks in advance,

--
Vlad Grigorescu | IT Security Engineer
Office of Privacy and Information Assurance
University of Illinois at Urbana-Champaign
0x632E5272 | 217.244.1922
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


rgerhards at hq

Mar 26, 2012, 7:56 AM

Post #2 of 2 (182 views)
Permalink
Re: Best Way to Add Properties? [In reply to]

> We're working on a new input module, to parse Cisco Netflow data. As
> part of this, we parse out all the relevant pieces of information
> (source IP, destination IP, etc.), and then recombine them into a
> string, which then gets passed on. It seems very inefficient to parse
> out individual pieces, recombine them into a string, and then re-parse
> it out when we want to use it in a template.
>
> Is there a way for an input or message modification module to add
> additional properties to each message? Would it be better to write a
> liblognorm parser? Apart from mmnormalize, are there other modules that
> do this that we could look at?

I am currently redesigning this capability, as part of the cee/lumberjack
effort. I expect that much in this area improves in April. Right now, there
is mmjsonparse, which probably gets you one idea of how to do it.

If mmnormalize fits your needs, I suggest to use it, as the parser is
optimized for semi-structured text.

Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.