Merge two syslog events to a new one | Log collection solutions

#1 GLE 7 years ago

Hello, what is best way to merge information from two events to a new one.

I have one evenet with connectioninformation and a second event with the userid. And I need the user ID addtionalt to the first event with the connection information forwarded in a syslog stream. There is a connectio ID in the event that I can use as filter.

Problem is, that there are some more events too with the same connection ID.

Permalink

#2 b0ti Nxlog ✓ 7 years ago

#1 GLE

Hello, what is best way to merge information from two events to a new one.

Problem is, that there are some more events too with the same connection ID.

You may want to look at using [pm_evcorr](https://nxlog.co/documentation/nxlog-user-guide#pm_evcorr) for this. First you'll need to extract the connection id that can be used to correlate on. In the second rule you would retrieve the data from the first event and add it to the second. ``` Exec if $raw_event =~ /..../ $ConnectionID = $1; TriggerCondition $raw_event =~ /match-first/ RequiredCondition $raw_event =~ /match-second/ Interval 30 Context $ConnectionID # rewrite the message here Exec $raw_event = $raw_event + get_prev_event_data("raw_event"); ``` Note that it is not possible to _go back in time_ so it cannot take data from the second event and modify the event before that so you'll need to do it the other way around.