Similarly to Using parser results in filters and templates, the results of pattern parsers can be used as well. To accomplish this, you have to add a name to the parser, and then you can use this name as a macro that refers to the parsed value of the message.
For example, you want to parse messages of an application that look like "Transaction: <type>.", where <type> is a string that has different values (for example refused, accepted, incomplete, and so on). To parse these messages, you can use the following pattern:
'Transaction: @ESTRING::.@'
Here the @ESTRING@ parser parses the message until the next full stop character. To use the results in a filter or a filename template, include a name in the parser of the pattern, for example:
'Transaction:
@ESTRING:TRANSACTIONTYPE:.@'
After that, add a custom template to the logpath that uses this template. For example, to select every accepted transaction, use the following custom filter in the log path:
match("accepted" value("TRANSACTIONTYPE"));
NOTE: The above macros can be used in database columns and filename templates as well, if you create custom templates for the destination or logspace.
The syslog-ng Store Box(SSB) appliance can be accessed using a Remote-Procedure Call Application Programming Interface (RPC API).
The SSB RPC API allows you to access and query SSB logspaces from remote applications. You can access the API using a RESTful protocol over HTTPS, meaning that you can use any programming language that has access to a RESTful HTTPS client to integrate SSB to your environment. Sample shell code snippets are provided in the API documentation.
Accessing SSB with the RPC API offers several advantages:
SSB prevents brute force attacks when logging in. If you repeatedly try logging in to SSB using incorrect login details within a short period of time (10 times within 60 seconds), the source IP gets blocked for 5 minutes.
To access syslog-ng Store Box(SSB) using the RPC API, the following requirements must be met:
-
The appliance can be accessed using a RESTful protocol over authenticated HTTPS connections.
-
The user account used to access SSB via RPC must have Search privilege (which provides access to all logspaces), or must be a member of the groups listed in the Access Control option of the particular logspace. For details on managing user privileges, see Modifying group privileges.
The client application used to access syslog-ng Store Box(SSB) must meet the following criteria:
-
Support RESTful web APIs over HTTPS
-
Properly handle complex object types
-
Include a JSON decoder for interpreting the results of search operations