1
answer

Hello guys, please help to split MESSAGE to seperate events with syslog_bsd headers.

config example:

<Extension csv_parser>
    Module      xm_csv
    Fields      DisplayName, EmailAddress, Department, Title, Description, SamAccountName,EmployeeNumber,PasswordLastSet,LastLogonDate,enabled
    FieldTypes  string,string,string,string,string,string,string,string,string,string
</Extension>

        Exec    $msg1 = ($SamAccountName + " | -DisplayName | " + $DisplayName); 
        Exec    $msg2 = ($SamAccountName + " | -EmailAddress | " + $EmailAddress);
        Exec    $msg3 = ($SamAccountName + " | -Department | " + $Department);
        Exec    $msg4 = ($SamAccountName + " | -Title | " + $Title);
        Exec    $msg5 = ($SamAccountName + " | -Description | " + $Description);
        Exec    $msg6 = ($SamAccountName + " | -SamAccountName | " + $SamAccountName);
        Exec    $msg7 = ($SamAccountName + " | -EmployeeNumber | " + $EmployeeNumber);
        Exec    $msg8 = ($SamAccountName + " | -PasswordLastSet | " + $PasswordLastSet);
        Exec    $msg9 = ($SamAccountName + " | -LastLogonDate | " + $LastLogonDate);
        Exec    $msg10 = ($SamAccountName + " | -enabled | " + $enabled);   
        Exec    $raw_event = $msg1 + "\n" + $msg2 + "\n" + $msg3 + "\n" + $msg4 + "\n" + $msg5 + "\n" + $msg6 + "\n" + $msg7 + "\n" + $msg8 + "\n" + $msg9 + "\n" + $msg10 + "\n";

So the ouput like:

Administrator | -DisplayName | 
Administrator | -EmailAddress | admin@gmail.com
Administrator | -Department | 
Administrator | -Title | 
Administrator | -Description | Built-in account for administering the computer/domain
Administrator | -SamAccountName | Administrator
Administrator | -EmployeeNumber | 
Administrator | -PasswordLastSet | 2/21/2019 1:57:37 PM
Administrator | -LastLogonDate | 2/21/2019 2:08:51 PM
Administrator | -enabled | True

How to add syslog header TIMESTAMP HOSTNAME TAG[PID]: before each line and send to syslog as seperate messages?

If I use to_syslog_bsd(); lines merges into one event

AskedAugust 21, 2019 - 11:25pm

Answer (1)