rgerhards at hq
Mar 26, 2012, 7:56 AM
Post #2 of 2
> We're working on a new input module, to parse Cisco Netflow data. As
> part of this, we parse out all the relevant pieces of information
> (source IP, destination IP, etc.), and then recombine them into a
> string, which then gets passed on. It seems very inefficient to parse
> out individual pieces, recombine them into a string, and then re-parse
> it out when we want to use it in a template.
> Is there a way for an input or message modification module to add
> additional properties to each message? Would it be better to write a
> liblognorm parser? Apart from mmnormalize, are there other modules that
> do this that we could look at?
I am currently redesigning this capability, as part of the cee/lumberjack
effort. I expect that much in this area improves in April. Right now, there
is mmjsonparse, which probably gets you one idea of how to do it.
If mmnormalize fits your needs, I suggest to use it, as the parser is
optimized for semi-structured text.
rsyslog mailing list