Join Log in
Score:0
avatar Server

syslog-ng - set a value or macro based on value of another macro

tl flag
anthonysomerset

I have a patterndb config that is parsing pfsense filterlog messages to extract the various fields to send to Azure Sentinel in CEF format, it is largely working fine

I need to set the Severity field of my event based upon the firewall action.

for example, if the field "PF.PF_ACTION" is block, the "Severity" needs to = 4, if the "PF.PF_ACTION" is pass "Severity" needs to = 1

Severity does not exist at this point, i am creating a new macro here or want to return the correct value based upon the original Macro

I have tried a template function with if but it seems to always think the result is true

template-function set_pfsense_severity "$(if (\"${PF.PF_ACTION}\" == \"pass\" ) \"4\" \"1\")";
template-function cef_header_netgate "${ISODATE} ${HOST} CEF:0|Netgate|pfSense||${PF.PF_TRACKER}||$(set_pfsense_severity)|";
        file(
                "/var/log/pfsense.log"
                fsync(yes)
                template("$(cef_header_netgate)$(format-welf --omit-empty-values act=${PF.PF_ACTION} dvc=$HOST dvchost=$HOST dst=${PF.PF_IP_DESTINATION_IP} dpt=${PF.PF_IP_DESTINATION_PORT} in=${PF.PF_IP_PAYLOAD_LENGTH} msg=$MSG proto=${PF.PF_IP_PROTOCOL_TEXT} src=${PF.PF_IP_SOURCE_IP} spt=${PF.PF_IP_SOURCE_PORT} csl=${PF.PF_RULE_NUMBER} deviceDirection=${PF.PF_DIRECTION} deviceFacility=$FACILITY)\n")
        );
};
log {
        source(s_udp_oms);
        filter(f_oms_pfsense_filterlog);
        parser(pfsense);
        rewrite(r_set_direction);
        destination(pfsense_parsed);
};

here is 2 log lines for reference, the Severity field is the field before |act=

2022-03-09T20:23:38+00:00 192.168.x.254 CEF:0|Netgate|pfSense||1000000103||4|act=block csl=4 deviceDirection=0 deviceFacility=local0 dpt=9999 dst=255.255.255.255 dvc=192.168.x.254 dvchost=192.168.x.x in=14 msg=4,,,1000000103,igb0.20,match,block,in,4,0x0,,64,0,0,DF,17,udp,34,0.0.0.0,255.255.255.255,9998,9999,14 proto=udp spt=9998 src=0.0.0.0
2022-03-09T20:23:41+00:00 192.168.x.254 CEF:0|Netgate|pfSense||1770011110||4|act=pass csl=130 deviceDirection=0 deviceFacility=local0 dpt=443 dst=17.253.x.x dvc=192.168.x.254 dvchost=192.168.x.x in=0 msg=130,,,1770011110,igb0.10,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.x.x,17.253.x.x,58359,443,0,S,3162698201,,0,,mss;nop;wscale;nop;nop;TS;sackOK;eol proto=tcp spt=58359 src=192.168.x.x

how else can i either configure a macro that i can place in the template or return the correct value?

68
0 + 0
cef
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.