Perform the following procedure to build custom-formatted syslog notifications.
Procedure
- Use the
--get
switch to write the system default templates to the local directory:# /usr/share/cb/cbsyslog --get # ll -rw-rw-r--. 1 root root 246 May 22 00:16 binaryinfo.group.observed.template -rw-rw-r--. 1 root root 285 May 22 00:16 binaryinfo.host.observed.template -rw-rw-r--. 1 root root 221 May 22 00:16 binaryinfo.observed.template -rw-rw-r--. 1 root root 194 May 22 00:16 feed.ingress.hit.binary.template -rw-rw-r--. 1 root root 210 May 22 00:16 feed.ingress.hit.process.template -rw-rw-r--. 1 root root 194 May 22 00:16 feed.storage.hit.binary.template -rw-rw-r--. 1 root root 243 May 22 00:16 feed.storage.hit.process.template -rw-rw-r--. 1 root root 575 May 22 00:16 watchlist.hit.binary.template -rw-rw-r--. 1 root root 460 May 22 00:16 watchlist.hit.process.template
The templates are given a context with a single python dictionary calleddoc
that contains the set of all possible key-value pairs. - To view the set of all possible keys, use the "Jinja For Loop" to iterate over the indexed fields in the Solr document with this template:
- Create a ‘forloop.txt’ template with the following contents:
{% for k in doc %}{{k}}={{doc[k]}} {% endfor %}
- Use the
--template
switch to output all of the available keys for a specific event type:# /usr/share/cb/cbsyslog --template ./forloop.txt --event watchlist.hit.process process_md5=506708142bc63daba64f2d3ad1dcd5bf process_sha256=6635a659bc80def44859f36719ed30618589c4b50abc17def38ee7dd913721 sensor_id=15 modload_count=45 filemod_count=0 servername=cbent-qa-nodesvr02 watchlist_id=-1 watchlist_name=SyslogTest id=1068044553602656801 group=SetSensor hostname=CB-WIN81X64-01 last_update=2014-02-28T02:29:00.09Z start=2014-02-28T02:29:00.043Z netconn_count=0 username=SYSTEM process_name=googleupdate.exe path=c:\program files (x86)\google\update\googleupdate.exe regmod_count=1 segment_id=1488563344023 host_type=workstation cb_version=4.1.1.140225.1913 childproc_count=0 unique_id=00000c42-0000-172c-01d0-5d6cca2adbb2-015A954A1297
- Create a ‘forloop.txt’ template with the following contents:
- To get a list of available event types, use the
–list-events
option:[root@localhost mytemplates]# /usr/share/cb/cbsyslog --list-events binaryinfo.group.observed binaryinfo.host.observed binaryinfo.observed feed.ingress.hit.binary feed.ingress.hit.host feed.ingress.hit.process feed.storage.hit.binary feed.storage.hit.process watchlist.hit.binary watchlist.hit.process feed.query.hit.binary feed.query.hit.process