search

axoflow / axosyslog

AxoSyslog - the scalable security data processor
https://axoflow.com
Other
45 stars 14 forks source link

filterx: add SDATA helper functions #242

Closed OverOrion closed 1 month ago

OverOrion commented 2 months ago 
@version: 4.8
@include "scl.conf"

log {

  source { example-msg-generator(num(1)
    template("[Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxui-13c6-6b16 sid=5214bde6 user=root][anotherSDID@32473 iut=4 eventSource=Application eventID=1012]")
  ); };
  parser{sdata-parser();};
  filterx {
    bar = has_sdata();
    foo = is_sdata_from_enterprise("6876");
    # asd = get_sdata();
    vars();
    };
  destination { file("/dev/stdout"); };
};

[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.Originator@6876.sub', value='Vimsvc.ha-eventmgr', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.Originator@6876.opID', value='esxui-13c6-6b16', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.Originator@6876.sid', value='5214bde6', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.Originator@6876.user', value='root', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.anotherSDID@32473.iut', value='4', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.anotherSDID@32473.eventSource', value='Application', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] Setting value; name='.SDATA.anotherSDID@32473.eventID', value='1012', type='string', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] <<<<<< parser rule evaluation result; result='accepted', rule='#anon-parser0', location='/source/install_dir/etc/asd.conf:9:10', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] >>>>>> filterx rule evaluation begin; rule='#anon-filter0', location='/source/install_dir/etc/asd.conf:10:10', msg='0x59da85103170', rcptid='1872'
[2024-08-07T14:57:58.003231] FILTERX ESTEP; expr='/source/install_dir/etc/asd.conf:11:5|        bar = has_sdata()', value='true', truthy='1', type='boolean'
[2024-08-07T14:57:58.003231] FILTERX ESTEP; expr='/source/install_dir/etc/asd.conf:12:5|        foo = is_sdata_from_enterprise("6876")', value='true', truthy='1', type='boolean'
jszigetvari commented 1 month ago

subscribe .