0

My fortigate firewall send log message to my syslog server (CentOS 7). The syslog server store them to *.log file with rsyslog. Like this:

Sep 24 00:00:00 192.168.20.20 date=2020-09-24 time=01:00:00 devname="FGT-G1" devid="FGTXXXX" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1600905600 appid=34050 srcip=192.168.X.X dstip=213.136.X.X srcport=63566 dstport=81 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" proto=6 service="tcp/81" direction="outgoing" policyid=1 sessionid=1301831 applist="default" appcat="Web.Client" app="HTTP.BROWSER_Firefox" action="pass" hostname="facebook.com" incidentserialno=48089476 url="/" msg="Web.Client: HTTP.BROWSER_Firefox," apprisk="elevated"

I just want to retrieve some fields as soon as a new line is added to the log file. Maybe in JSON Format like that:

{ 
date: 2020-09-24,
time: 01:00:00,
srcip:192.168.X.X,
hostname: "facebook.com",
app: "HTTP.BROWSER_Firefox" 
}

Thanks for your help !

user13877317
  • 1
  • You could just use tail -f and pipe it into awk and then print it with jq. What is your goal? Do you want to convert the whole log file into json or just want a bash command to convert the last lines of the file into json? – Lorem ipsum Oct 01 '20 at 16:19
  • I have created a web app with python Flask. Which reads the raw log file and retrieve these fields i want and display them. But the process was taking so much time to return response to the client. So now i want to automatically filter the raw log file as soon as a new line is added. Then put these fields to another file. So now my web app won't do processing anymore, it will just display the content of the new log file (the one created after retrieving fileds from the initial log). – user13877317 Oct 01 '20 at 16:42
  • Using python . There is sample in syslog ng community https://www.syslog-ng.com/community/b/blog/posts/parsing-log-messages-with-the-syslog-ng-python-parser – MohammadReza moeini Oct 01 '20 at 18:27

0 Answers0