有如下的思科路由器日志
Sep 18 20:55:30 2405:XXX:204:XXX:172:22:XXX:25 93596: 093382: Sep 18 20:53:17.848 IST: %TCP-6-BADAUTH: No MD5 digest from 2405:XXX:201:201:XXX:22:193:30(179) to 2405:XXX:201:XXX:172:22:XXX:25(15616) (RST) tableid - 0 我想要使用系统日志为每个日志键值对:
"@timestamp": "Sep 18 20:55:30", "host": "2405:XXX:204:XXX:172:22:XXX:25", "seq_no1": "93596", "seq_no2": "093382", "@timestamp1": "Sep 18 20:53:17.848", "protocol": "TCP" "severity": "6" "message": "BADAUTH", "msg": "575387: No MD5 digest from 2405:XXX:201:201:XXX:22:193:30(179) to 2405:XXX:201:XXX:172:22:XXX:25(15616) (RST) tableid - 0"
在我的syslog-ng.conf文件中需要使用这种模式匹配正则expression式的帮助。
destination d_cisco{ file("/var/log/cisco/all_syslog_in_json.log"perm(0666)template("{\"@timestamp\": \"$ISODATE\", \"host\": \"$HOST\", \"seq_no1\": \"$SEQNUM\", \"seq_no2\": \"$SEQNUM\", \"@timestamp1\": \"$ISODATE\", \"protocol-severity-message\": \"$FAC-SEV-MNEMONIC\", \"message\": \"$MSG\"}\n")); };