[rsyslog-notify] Forum Thread: How to convert (from CEF to CSV) and forward a message ? - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Thu May 14 12:13:38 CEST 2015 

User: vdesabou 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25603#p25603

Message: 
----------
Hello,

My goal is to receive a message which is in CEF format and transform it as
CSV.
So my understanding is that I should do it like this:-

1-Receive a CEF message with syslog (port 514) and apply a ruleset (here
cef_ruleset)
2-Parse it with CEF parser (using mmnormalize and cef.rb)
3-Transform it to CSV format (using template csv)
4-Message forwarded to syslog on port 514 so that external application can
parse the CSV message (using owfwd with template csv ? )

1, 2 & 3 steps are ok, but I'm not sure exactly how to do step 4..

This is what I'm using right now:-

[code:bdwxqeep]
module(load="mmnormalize")
template(name="csv" type="list") {

        # syslog properties
        constant(value="<")
        property(name="pri")
        constant(value=">")
        property(name="timegenerated")
        constant(value=" ")
        property(name="hostname")
        constant(value=" ")
        property(name="syslogtag")

        # CSV
        constant(value="0")
        constant(value=",")
        property(name="$!cef!DeviceVendor" format="csv")
        constant(value=",")
        property(name="$!cef!DeviceProduct" format="csv")
        constant(value=",")
        property(name="$!cef!DeviceVersion" format="csv")
        constant(value=",")
        property(name="$!cef!SignatureID" format="csv")
        constant(value=",")
        property(name="$!cef!Name" format="csv")
        constant(value=",")
        property(name="$!cef!Severity" format="csv")
        constant(value=",")
        property(name="$!cef!Extensions!act" format="csv")
        constant(value="\n")
}

ruleset(name="cef_ruleset") {
     # CEF message
    if $msg startswith ' CEF:0' then {
        action(type="mmnormalize"
            ruleBase="/etc/rsyslog.d/cef.rb"
            useRawMsg="off"
        )
        action(type="omfwd" Target="localhost" Port="514" Protocol="tcp"
TCP_Framing="octet-counted" template="csv")
    } else {
        action(type="omfwd" Target="localhost" Port="514" Protocol="tcp"
TCP_Framing="octet-counted")
    }
}
input(type="imtcp" port="514" ruleset="cef_ruleset")
input(type="imudp" port="514" ruleset="cef_ruleset")
[/code:bdwxqeep]

[code:bdwxqeep]
cat /etc/rsyslog.d/cef.rb
rule=: %cef:cef%
[/code:bdwxqeep]

Is this the way to go ? Do I really need to use owfwd ?

The result of this is I can receive the CSV message as a syslog message as
expected, however I get a number at the beginning (here 781):

[code:bdwxqeep]
781 <2>May 14 11:00:40 MacBookPro-Vincent
syslog[2218]:0,"Internal Application", ….
[/code:bdwxqeep]

Any idea where it is coming from ?
Thanks

More information about the rsyslog-notify mailing list