CEF to MariaDB

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CEF to MariaDB

Dossantos, Brandon
Hi,

I recently subscribed since I read a post that mentioned the mailing list would be easier to get an answer from. I am having some configuration problems and questions. I am looking to configure rsyslog to read CEF messages and parse the fields into their proper kv's, then import the values into a MariaDB database. What is the easiest course of action, I believe what I am doing is harder than it should be. Anyone have experience doing such a thing?

Thanks.

________________________________

Confidentiality Notice: This e-mail and any attachments are intended only for the use of those to whom it is addressed and may contain information that is confidential and prohibited from further disclosure under law. If you have received this e-mail in error, its review, use, retention and/or distribution is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.[v1.0]
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEF to MariaDB

matthew.gaetano
You can use the Message Modification Module 'mmnormalize' to parse CEF messages. It uses liblognorm which has a field type called 'cef'. Parsing un-ordered key value pairs is currently difficult to do.

mmnormalize will pass back the message object into a JSON variable, as declared. Then you can use an output module to push the data to MariaDB.

Unfortunately i do not have any experience with MariaDB, nor is there a specific output module for it. However the forums seem to suggest that others have used the MySQL output module 'ommysql'.
~Regards

Matthew Gaetano
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEF to MariaDB

David Lang
MariaDB is a fork of MySQL, and currently they are pretty much interchangable
(MySQL got sold to Oracle and as a result many people are switching to MariaDB)

David Lang

On Mon, 17 Jul 2017, matthew.gaetano wrote:

> Date: Mon, 17 Jul 2017 10:20:40 -0700 (MST)
> From: matthew.gaetano <[hidden email]>
> Reply-To: rsyslog-users <[hidden email]>
> To: [hidden email]
> Subject: Re: [rsyslog] CEF to MariaDB
>
> You can use the Message Modification Module 'mmnormalize' to parse CEF
> messages. It uses liblognorm which has a field type called 'cef'. Parsing
> un-ordered key value pairs is currently difficult to do.
>
> mmnormalize will pass back the message object into a JSON variable, as
> declared. Then you can use an output module to push the data to MariaDB.
>
> Unfortunately i do not have any experience with MariaDB, nor is there a
> specific output module for it. However the forums seem to suggest that
> others have used the MySQL output module 'ommysql'.
>
>
>
>
> -----
> ~Regards
>
> Matthew Gaetano
> --
> View this message in context: http://rsyslog-users.1305293.n2.nabble.com/CEF-to-MariaDB-tp7592593p7592594.html
> Sent from the rsyslog-users mailing list archive at Nabble.com.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Loading...