Infoblox syslog no being decoded as expected

[Luka Wynants]

Hello, 
any help is appreciated!

What Im trying to do is create a custom decoder for infoblox syslog. I want to create one parent decoder which catches all infoblox syslog, and then use child decoders for each specific 'program name' in infoblox (eg. one for named, httpd, ntpd, sshd ect..). Since the infoblox syslog is very generic the only unique identifier for filtering out infoblox messages would be on the hostname inside the log message, so i tried to create this broad decoder which should match if the syslog message contains  "pmc-ib-"

<decoder name="infoblox-base">   

  <prematch>pmc-ib-.*</prematch>    

</decoder>

<decoder name="infoblox-dhcp">
  <parent>infoblox-base</parent>
  <program_name>dhcpd</program_name>
</decoder>

To test I have this log message from infoblox:

May 11 14:26:59 pmc-ib-a dhcpd[2660669]: DHCPACK on  [ip_address]  to  [mac_address]  (S24-Ultra) via eth2 relay eth2 lease-duration 7200 (RENEW) uid  [mac_address]

---------------------------------------------------

**Phase 1: Completed pre-decoding. 

full event: 'May 11 14:26:59  pmc-ib-a  dhcpd[2660669]: DHCPACK on [ip_address] to [mac_address] (S24-Ultra) via eth2 relay eth2 lease-duration 7200 (RENEW) uid [mac_address] '

timestamp: 'May 11 14:26:59' 

hostname: ' pmc-ib-a ' 

program_name: 'dhcpd' 

**Phase 2: Completed decoding. No decoder matched.

-------------------------------------------------------

Is it because the predecoder found a 'program_name' that it isnt looking at my custom decoders and only at the decoders if a programe_name is detected?

Or is it because you cannot match based on hostname like this?

Or is it because the predecoder took out the hostname from the log message that it isnt being matched anymore?

Any help or feedback is appreciated!

[Md. Nazmur Sakib]

Hello

If your decoder matches a program name in the pre-decoder, you need to add the reference to it in the parent decoder.

Next, you can use a prematch in the parent decoder additional to the program name. But the pre-match keyword needs to be from the log(excluding syslog header)

For your log, the part that is decoded by the pre-decoder is the syslog header.

May 11 14:26:59 pmc-ib-a dhcpd[2660669]:

The rest is the log.

DHCPACK on  [ip_address]  to  [mac_address]  (S24-Ultra) via eth2 relay eth2 lease-duration 7200 (RENEW) uid  [mac_address]

Ex:

<decoder name="infoblox-base">

    <program_name>dhcpd</program_name>

    <prematch>S24-Ultra</prematch>

</decoder>

For the decoders as well, you cannot write the decoder for the syslog header. You can only parse the value from the log.

You can test this decoder for reference.

<decoder name="infoblox-base">

    <program_name>dhcpd</program_name>

</decoder>

<decoder name="infoblox-base-child">

   <parent>infoblox-base</parent>

    <regex>^(\.+)$</regex>

    <order>log</order>

</decoder>

This is the test result.
**Messages:

INFO: (7202): Session initialized with token '8f4cb61e'

**Phase 1: Completed pre-decoding.

full event: 'May 11 14:26:59 pmc-ib-a dhcpd[2660669]: DHCPACK on  [ip_address]  to  [mac_address]  (S24-Ultra) via eth2 relay eth2 lease-duration 7200 (RENEW) uid  [mac_address]'

timestamp: 'May 11 14:26:59'

hostname: 'pmc-ib-a'

program_name: 'dhcpd'

**Phase 2: Completed decoding.

name: 'infoblox-base'

log: 'DHCPACK on  [ip_address]  to  [mac_address]  (S24-Ultra) via eth2 relay eth2 lease-duration 7200 (RENEW) uid  [mac_address]'

Let me know if you need any further information.