IF statements for varying values
I am trying to parse some logs coming in and trying to figure out the proper way to build the nxlog.conf when specifying what to do depending on the conditions met in the parser. I have a working conf file that can read all the logs from a file and parse them into one set of conditions but how do I add multiple IF statements in a single Exec block?
<Input NetMotion>
Module im_file
File "C:\Testing-logs\NetMotion.txt"
<Exec>
if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/
{
if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED';
{
$version = 'v1';
$time = $3;
$account = $1;
$assigned_ip = $6;
$source_ip = $2;
$authentication_result = 'SUCCESS';
$authentication_target = $5;
}
if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION';
{
$version = 'v1';
$time = $2;
$account = $1;
}
}
</Exec>
</Input>
The above code works in the fact that it doesn't give me any errors in the NXLog log file however the actual log lines are mixed up. If the events match 'VPN_SESSION_IP_ASSIGNED'
then it all works just fine. This gives me the order of event_type, version, time, account, assigned_ip, source_ip, authentication_result, authentication_target which is exactly what I need.
However for the lines where it doesn't match, it messes up the order and puts version first, and then tacks on the event_type = 'VPN_SESSION_IP_TERMINATION' at the end.
How do I get it so that when the $event_type = 'VPN_SESSION_IP_TERMINATION'
the log format only shows the fields I want e.g. event_type, version, time, account.
I tried a different method where I put the second if statement directly after the first and it worked to keep the order but I still don't know how to drop the unnecessary fields from the termination events.
<Input NetMotion>
Module im_file
File "C:\Testing-logs\NetMotion.txt"
<Exec>
if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/
{
if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED';
if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION';
$version = 'v1';
$time = $3;
$account = $1;
$assigned_ip = $6;
$source_ip = $2;
$authentication_result = 'SUCCESS';
$authentication_target = $5;
}
</Exec>
</Input>
Would I do an additional if statement after that to basically say,
if $event_type == 'VPN_SESSION_IP_TERMINATION'
{
delete($assigned_ip);
delete($source_ip);
delete($authentication_result);
delete($authentication_target);
}
Any and all help is appreciated!
Hello,
I couldn't spend too much time testing your configuration…but it seems like the problem is with multiple conditional statements inside the same Exec block. Like Perl, the NXLog language does not have a switch statement. Instead, this can be accomplished by using conditional if-else statements. Please check the following example:
if ( $value == 1 )
log_info("1");
else if ( $value == 2 )
log_info("2");
else if ( $value == 3 )
log_info("3");
else
log_info("default");