I just want to pile in here and recommend taking a look at the parser chaining use-case, which is a walk-through of pulling in firewall logs over syslog using grok ( https://github.com/apache/metron/tree/master/use-cases/parser_chaining). Unfortunately this is in master and yet in a release, but it will show you how to use grok to parse syslogs containing some other format inside.
Casey On Fri, Jul 20, 2018 at 5:34 AM Simon Elliston Ball < si...@simonellistonball.com> wrote: > What you need to do is NOT ParseCEF in NiFi. Metron should handle be CEF > parsing. > > Just use NiFi to do the listen syslog (no need to parse in NiFi) then > SplitText to get one line of CEF per kafka message (if your syslog is > batching, this may not be necessary. Set up a sensor in Metron using the > CEF parser and you should be fine. > > Simon > > > On 20 Jul 2018, at 09:39, Srikanth Nagarajan <s...@gandivanetworks.com> > wrote: > > Hi Farrukh, > > You can try using the Grok Parser and search for regular expression > pattern for your log. You can customize the regex to meet your needs. > > > https://cwiki.apache.org/confluence/display/METRON/2016/04/25/Metron+Tutorial+-+Fundamentals+Part+1%3A+Creating+a+New+Telemetry > > Look at Step-5 on how to create a regex for grok parser. Grok parser > also allows to validate the fields. > > Good luck ! > > Thanks > Srikanth > > On July 20, 2018 at 4:23 AM Farrukh Naveed Anjum <anjum.farr...@gmail.com> > wrote: > > Hi, > > I am trying to index the Syslog using CEF Parser with Nifi. > > It does not give any error though, transport data to kafa without indexing > it. It keepg giving FAILED in Spout. > > I believe indexing Syslog are most basic usecase for all. But metron fails > to do it with each in standard format. > > I tried bro for it. But even it keeps giving PARSER Error. > > Any help ? Fast will be apperciated. > > > > > -- > With Regards > Farrukh Naveed Anjum > > > ______________________ > > *Srikanth Nagarajan * > *Principal* > > *Gandiva Networks Inc* > > *732.690.1884* Mobile > > s...@gandivanetworks.com > > www.gandivanetworks.com > > Please consider the environment before printing this. NOTICE: The > information contained in this e-mail message is intended for addressee(s) > only. If you have received this message in error please notify the sender. > >
