Merge two syslog events to a new one | Log collection solutions

#1 GLE 6 years ago

Hello, what is best way to merge information from two events to a new one.

I have one evenet with connectioninformation and a second event with the userid. And I need the user ID addtionalt to the first event with the connection information forwarded in a syslog stream. There is a connectio ID in the event that I can use as filter.

Problem is, that there are some more events too with the same connection ID.

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 GLE

Hello, what is best way to merge information from two events to a new one. I have one evenet with connectioninformation and a second event with the userid. And I need the user ID addtionalt to the first event with the connection information forwarded in a syslog stream. There is a connectio ID in the event that I can use as filter. Problem is, that there are some more events too with the same connection ID.

You may want to look at using pm_evcorr for this.

First you'll need to extract the connection id that can be used to correlate on. In the second rule you would retrieve the data from the first event and add it to the second.

<Simple>
    Exec            if $raw_event =~ /..../ $ConnectionID = $1;
</Simple>

<Pair>
    TriggerCondition    $raw_event =~ /match-first/
    RequiredCondition   $raw_event =~ /match-second/
    Interval            30
    Context     $ConnectionID
    # rewrite the message here 
    Exec                $raw_event = $raw_event + get_prev_event_data("raw_event");
 </Pair>

Note that it is not possible to go back in time so it cannot take data from the second event and modify the event before that so you'll need to do it the other way around.