How to write syslog parser in Metron's Strom?

moj_72 · ‎08-27-2018

I am using Metron 0.4.1

I want to write syslog parser but I don't know how to do it.

thanks for helping me.

StefanDunkler · ‎08-27-2018

You could start by defining it via Grok using the GrokParser. SYSLOG_HEADER + MESSAGE, where the SYSLOG_HEADER could look like:

<%{POSINT:syslog_priority}>%{SYSLOGTIMESTAMP:date} %{IPORHOST:device}

Or write your own Java Parser: https://metron.apache.org/current-book/metron-platform/metron-parsers/3rdPartyParser.html
In future Metron versions a syslog parsing capability is planned: (https://issues.apache.org/jira/browse/METRON-1453)

ottobackwards · ‎08-27-2018

Supports RFC 5424 messages only