RAW Input with “Length-prefixed framing”

Welp, that kinda worked and did what I asked.

This functions successfully kills the original message and it’s bogus fields…

rule "TEST FGT-Direct re-parser"
when
  from_input(name: "FGT special TCP Syslog 10514")
then
  let msgtext = to_string($message.message);
  let msgfull = to_string($message.full_message);
  let msgsource = to_string($message.source);
  // FIXME: Next line is Fortinet-specific.
  // Generic solution: let eventtime = to_date($message.timestamp);
  let eventtime = parse_unix_milliseconds(to_long($message.eventtime)/1000000);
  drop_message();
  
  let nmsg = create_message(msgtext, msgsource, eventtime);
  set_field(field:"full_message", value:msgfull, message:nmsg);
  
  // FIXME: Parsing for your logs goes here... or into the next pipeline stage
  let k_v = key_value(value:msgtext, delimiters:" ", kv_delimiters:"=", trim_value_chars:"\"");
  set_fields(fields:k_v, message:nmsg);
  let level_int = lookup_value("SyslogLevels", nmsg.level, 0);
  set_field(field:"level", value:to_long(level_int), message:nmsg);

  route_to_stream(name: "ZZ Scratchpad", message: nmsg, remove_from_default: true);
end



… but it ultimately failed to do what I need,
because the key_value function in Pipelines, while more configurable than its key=value tokenizer extractor counterpart, seems unable to handle spaces in quoted fields :slightly_frowning_face:

I guess I’ll have to ask about that in a new topic: Running key=value tokenizer extractor from Pipelines?

1 Like