Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

Module for message conversion

Diskussions related to the development of PhpLogCon

Moderator: alorbach

Google Ads


Module for message conversion

Postby jlisbz » Fri May 14, 2010 1:03 am

Hi,

I am trying to convert log message from an application into some specific format, maybe xml or json. After the message conversion, it still use whatever rsyslog provides to send out to the destinations.

Do I need to write a module for this? Should that be a input module or output module? Is there an example for that?

Thanks for the direction.

John
jlisbz
New
 
Posts: 3
Joined: Fri May 14, 2010 12:52 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Module for message conversion

Postby rgerhards » Fri May 14, 2010 4:13 am

you mean you just need a custom message format? Then you should look into templates. There are some samples in the doc, and you can most probably find more at http://wiki.rsyslog.com and/or http://cookbook.rsyslog.com

HTH
Rainer
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Re: Module for message conversion

Postby jlisbz » Fri May 14, 2010 1:02 pm

Yes. I looked into template already but it could cause performance issue.

For example, a typical firewall log:
192.168.20.5 23456 192.168.10.10 80 Accept Web
192.168.20.6 5678 192.168.10.10 22 Deny SSH

If I want to have the xml form of them, it could be :
<srcip>192.168.20.5</srcip><dstip>192.168.10.10</dstip><srcport>23456</srcport><dstport>80</dstport><action>Accept</action><comment>Web</comment>
<srcip>192.168.20.6</srcip><dstip>192.168.10.10</dstip><srcport>5678</srcport><dstport>22</dstport><action>Deny</action><comment>SSH</comment>

If I understand correctly for template, I had to do RE for 6 times for each log entry and that could cause performance issue in large environment for sure.

But any way, this should be doable with template though. I am looking for a plugin to parse and convert the message so it only needs to do RE for once.

Any idea?
jlisbz
New
 
Posts: 3
Joined: Fri May 14, 2010 12:52 am

Re: Module for message conversion

Postby rgerhards » Fri May 14, 2010 1:08 pm

With the current code base, an output plugin would probably the best (fastest) rout to take...
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Re: Module for message conversion

Postby jlisbz » Fri May 14, 2010 4:26 pm

Thanks for the reply. One thing I want to make sure is the output plugin which I will make should be still able to use other output method such as syslog/snmp etc with the converted message, right? Sorry if this is too obvious for the seasoned rsyslog developers.
jlisbz
New
 
Posts: 3
Joined: Fri May 14, 2010 12:52 am

Google Ads



Return to Developer's Corner

Who is online

Users browsing this forum: No registered users and 1 guest

cron