I have a source from which I am collecting logs via syslog. My challenge is that the log files send by same source contain lines that are not consistent in terms of fields. Pl see below.
Mar 11 21:19:08 10.10.10.10 11/03/2016:10:12:47 APAP-XXXX01 0-PPE-0 : TCP CONN_TERMINATE 5454405 0 : Source 10.20.20.20:80 - Destination 10.30.30.30:4172 - Start Time 11/03/2016:10:12:47 - End Time 11/03/2016:10:12:47 - Total_bytes_send 0 - Total_bytes_recv 1
Mar 11 19:55:23 10.10.10.10 11/03/2016:08:49:02 APAP-XXXX01 0-PPE-0 : SNMP TRAP_SENT 5441806 0 : entityup (entityName = "server_svc_NSSVC_DNS_10.50.50.50:53(nameserve...", sysIpAddress = 10.10.10.10)
Mar 11 19:55:23 10.10.10.10 11/03/2016:08:49:02 APAP-XXXX01 0-PPE-0 : EVENT DEVICEUP 5441805 0 : Device "server_svc_NSSVC_DNS_10.50.50.50:53(nameserver_10.50.50.50_53)" - State UP
Mar 11 21:18:57 10.10.10.10 11/03/2016:10:12:36 APAP-XXXX01 0-PPE-0 : TCP CONN_DELINK 5454373 0 : Source 10.10.20.20:64920 - Vserver 10.20.10.30:443 - NatIP 127.0.0.2:25769 - Destination 127.0.0.1:80 - Delink Time 11/03/2016:10:12:36 - Total_bytes_send 336 - Total_bytes_recv 9066
My question is:
Is there a way to select lines based on some key words e.g. CONN_TERMINATE or CONN_DELINK or SNMP or EVENT and so on and then apply specific regex pattern in my props.conf file to extract fields from those lines? Lines containing keywords such as CONN_TERMINATE or CONN_DELINK seem to have similar fields, but other are not.
↧