#1
absolis
Need some help, I want the fields "$srcip, $srcport, $dstip, $dstport" to be put together in another field, called "$netinfo", how do I do it ??
My logs
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1482865188.959602 CMyjvLxxxxxxx0MJjb xxx.xx.192.250 3xxx xxx.xxx.162.xxx 53 udp 19626 - - - - - 0 NOERROR F F F F 0 - - F
1482865189.162798 CW1kwxxxxxxxC3Ug0j xxx.xx.192.250 xxxx5 xxx.xxx.xxx.xxx 53 udp 250 r4.sn-a5m7znes.googlevideo.com - - - - 0 NOERROR T F F F 0 xxx.194.xxx.233 1800.000000 F
1482865189.182565 Cir6Sz3xxxxxO60PD6 fe80::xxx:f35c:xxxx:61ad 65535 ff02::1:3 5355 udp 1772 host 1 C_INTERNET 1 A - - F F F F 0 - - F
Nxlog .conf <Extension csv.dns.log> Module xm_csv Fields $timestamp,$uid,$srcip,$srcport,$dstip,$dstport,$service,$transid,$qresponse,$query,$qclass,$qclassname,$qtype,$qtypename,$rcode,$rcodename,$aa,$tc,$rd,$ra,$z,$answ FieldsType string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string Delimiter \t </Extension> <Input i.dns.log> Module im_file File "/*PATH*/dns.log" ReadFromLast TRUE Exec csv.dns.log->parse_csv(); </Input> <Output o.dns.log> Module om_ssl Host 192.XXX.X.XXX Port ZZZZ OutputType GELF_TCP CAFile /data/conf/ca.crt AllowUntrusted TRUE </Output> <Route r.dns.log> Path i.dns.log => o.dns.log </Route>
Thank you
#1
absolis
Need some help, I want the fields "$srcip, $srcport, $dstip, $dstport" to be put together in another field, called "$netinfo", how do I do it ??
My logs
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1482865188.959602 CMyjvLxxxxxxx0MJjb xxx.xx.192.250 3xxx xxx.xxx.162.xxx 53 udp 19626 - - - - - 0 NOERROR F F F F 0 - - F
1482865189.162798 CW1kwxxxxxxxC3Ug0j xxx.xx.192.250 xxxx5 xxx.xxx.xxx.xxx 53 udp 250 r4.sn-a5m7znes.googlevideo.com - - - - 0 NOERROR T F F F 0 xxx.194.xxx.233 1800.000000 F
1482865189.182565 Cir6Sz3xxxxxO60PD6 fe80::xxx:f35c:xxxx:61ad 65535 ff02::1:3 5355 udp 1772 host 1 C_INTERNET 1 A - - F F F F 0 - - F
Nxlog .conf
<Extension csv.dns.log>
Module xm_csv
Fields $timestamp,$uid,$srcip,$srcport,$dstip,$dstport,$service,$transid,$qresponse,$query,$qclass,$qclassname,$qtype,$qtypename,$rcode,$rcodename,$aa,$tc,$rd,$ra,$z,$answ
FieldsType string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string,string
Delimiter \t
</Extension>
<Input i.dns.log>
Module im_file
File "/*PATH*/dns.log"
ReadFromLast TRUE
Exec csv.dns.log->parse_csv();
</Input>
<Output o.dns.log>
Module om_ssl
Host 192.XXX.X.XXX
Port ZZZZ
OutputType GELF_TCP
CAFile /data/conf/ca.crt
AllowUntrusted TRUE
</Output>
<Route r.dns.log>
Path i.dns.log => o.dns.log
</Route>
Thank you
The following should do that:
Exec $netinfo = $srcip + ', ' + $srcport + ', ' + $dstip + ', ' + $dstport;