[rsyslog-notify] Forum Thread: How best to strip out part of message - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue Sep 13 17:25:08 CEST 2016 

User: tsc001 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26932#p26932

Message: 
----------
I have a syslog relay host that receices syslog data from a web proxy
server.  This contains the full URL that the user is trying to reach. 
Currently I have configured rsyslog to simply forward these messages to the
central SIEM servers.
I want to be able to strip down the URL data to simply contain the protocol
and host.
I have been trying to work out a way to achieve this but failing due to my
lack of rsyslog configuration knowledge.

An example of the message received and stored on the syslog relay system
is:-
Sep 13 08:02:42 10.171.237.238 CEF: 0|Myproxy|Security|8.1.0|76|Transaction
blocked|7| act=blocked app=https dvc=192.168.2.11 dst=131.253.61.68
dhost=login.live.com dpt=443 src=192.168.5.55 spt=53190 suser=-
destinationTranslatedPort=59333 rt=1473771762000 in=0 out=0
requestMethod=POST requestClientApplication=Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 6.3; Win64; .NET4.0E; .NET4.0C; IDCRL 10.6.3.9600.17415;
IDCRL-cfg 15.0.22120.0; App svchost.exe, 6.3.9600.17415,
{DF60E2DF-88AD-4526-AE21-83D130EF0F68}) reason=- cs1Label=Policy cs1=Super
Administrator**Block All cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=-
cn1Label=DispositionCode cn1=1029 cn2Label=ScanDuration cn2=13
request=https://login.live.com/ppsecure/deviceaddcredential.srf

The configuration I have is:-
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName logrhytm.qfile # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* @192.168.15.15:514

I wish to strip "/ppsecure/deviceaddcredential.srf" from the message so the
forwarded message would look like:-
Sep 13 08:02:42 10.171.237.238 CEF: 0|Myproxy|Security|8.1.0|76|Transaction
blocked|7| act=blocked app=https dvc=192.168.2.11 dst=131.253.61.68
dhost=login.live.com dpt=443 src=192.168.5.55 spt=53190 suser=-
destinationTranslatedPort=59333 rt=1473771762000 in=0 out=0
requestMethod=POST requestClientApplication=Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 6.3; Win64; .NET4.0E; .NET4.0C; IDCRL 10.6.3.9600.17415;
IDCRL-cfg 15.0.22120.0; App svchost.exe, 6.3.9600.17415,
{DF60E2DF-88AD-4526-AE21-83D130EF0F68}) reason=- cs1Label=Policy cs1=Super
Administrator**Block All cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=-
cn1Label=DispositionCode cn1=1029 cn2Label=ScanDuration cn2=13
request=https://login.live.com

What is best way of achieving this?

More information about the rsyslog-notify mailing list