Examples of Configuration Rules
The following sample rule file shows both types of rules. In the following examples, $ pattern in the template is replaced in the formatted message. Each matching $ pattern is color coded in the following examples.
source_type=LogLogic Appliance ####################### # LOGLOGIC EVENTS # ####################### Scenario#1: Transform messages before forwarding to downstream match=ending config mgmt job regexp(.+)\s(.+)\slx_scheduler:\s(.+)\s(.+):\s\((.+)\)\slx_scheduler:\sending\sconfig\smgmt\sjob template LOGS|LogLogic MODEL|CC01|Application configuration change|5|deviceExternalId=62968-1 msg=ending config mgmt job shost=$2 dhost=$2 log_type=$3 process_id=$4 session_start=$5 suser=system suid=system spriv=User
Note: When writing a regular expression, care should be taken to define as few capturing patterns as possible. Define only those capturing patterns that must be used in the template to format the forwarded message. Adding unused capturing patterns to the regular expression can quickly degrade the forwarding performance.
If the original message is as follows:
<11>Sep 12 20:49:41 localhost lx_scheduler: %LOGLOGIC-PRI-6 8329: (1315860581) lx_scheduler: ending config mgmt job The formatted log message will appear as follows: LOGS|LogLogic MODEL|CC01|Application configuration change|5|deviceExternalId=62968-1 msg=ending config mgmt job shost=localhost dhost=localhost log_type=%LOGLOGIC-PRI-6 process_id=8329: session_start=1315860581 suser=system suid=system spriv=User In the previous example, $2 in the template is replaced with localhost; $3 is replaced with %LOGLOGIC-PRI-6; $4 is replaced with 8329:; $5 is replaced with 1315860581. Scenario#2: Extract fields only match=action:logoff; status:success; regexp(.+)\s+?(%L.+)\s+?user:(.+);\s+?module:(.+);\s+?action:(.+);\s+?status:(.+);\s+?session_id:(.+);\s+?client_ip:(.+);\s+?target_ip:(.+);\s+?session_start:(.+);\s+?session_duration:(.+);\s+?disconnect_reason:(.+);\s+?info: template LOGS|LogLogic MODEL|$3 $4 $5 $6 $7 $8 $9 $10 If the original message is as follows: <182> Sep 13 18:50:24 20.20.20.20 %LOGLOGIC-6-3102: user:admin; module:user_intfc; action:logoff; status:success; session_id:4203070123; client_ip:10.10.0.1; target_ip:20.20.20.20; session_start:1315965001; session_duration:23; disconnect_reason:user_logoff; info:sign out, orig_session_id,FA85C2AB28037AC810F8A8BCB71B4A33, Then, after running the rule, the formatted log message will appear as follows: LOGS|LogLogic MODEL|admin user_intfc logoff success 4203070123 10.10.0.1 20.20.20.20 1315965001 # Scenario#3: forward all RAW messages and shred 4203070123 to replace it with XXXXXXXXX source_type=LogLogic Appliance ####################### # LOGLOGIC EVENTS # ####################### forwardall shred=4203070123 replace=XXXXXXXXX If the original log message is as follows: <182> Sep 13 18:50:24 20.20.20.20 %LOGLOGIC-6-3102: user:admin; module:user_intfc; action:logoff; status:success; session_id:4203070123; client_ip:10.10.0.1; target_ip:20.20.20.20; session_start:1315965001; session_duration:23; disconnect_reason:user_logoff; info:sign out, orig_session_id,FA85C2AB28037AC810F8A8BCB71B4A33, Then, after running the rule, the formatted log message will appear as follows; where 4203070123 will be replaced with XXXXXXXXX: <182> Sep 13 18:50:24 20.20.20.20 %LOGLOGIC-6-3102: user:admin; module:user_intfc; action:logoff; status:success; session_id:XXXXXXXXXX; client_ip:10.10.0.1; target_ip:20.20.20.20; session_start:1315965001; session_duration:23; disconnect_reason:user_logoff; info:sign out, orig_session_id,FA85C2AB28037AC810F8A8BCB71B4A33,
Copyright © 2020. Cloud Software Group, Inc. All Rights Reserved.