Untitled

source s_network{
    network(
        ip("172.18.0.20")
        port(514)
        transport("tcp")
        log-fetch-limit(250)
        max-connections(20)
    );
};

destination d_network{
    file(
        "/var/log/network/$HOST/$S_YEAR.$S_MONTH.$S_DAY/messages"
        create-dirs(yes)
    );
};

destination d_network_firewall{
    file(
        "/var/log/network/$HOST/$S_YEAR.$S_MONTH.$S_DAY/messages.json"
        template("$(format_json --scope rfc5424 --key HOST --key ISODATE --key nf.* --key geoip2.*)\n")
        create-dirs(yes)
    );
};

filter f_main_router { host("netgear") and match("FORWARD-SYN" value("MESSAGE")) };

# resolve non-local destination IP addresses
# using Python parser
parser p_resolver {
    python(
        class("SngResolver")
    );
};

#python {
#
#"""
#simple syslog-ng Python parser example
#resolves IP to hostname
#value pair names are hard-coded
#"""
#
#import socket
#
#class SngResolver(object):
#    def parse(self, log_message):
#        """
#        Resolves IP to hostname
#        """
#
#        ipaddr_b = log_message['nf.DST']
#        ipaddr = ipaddr_b.decode('utf-8')
#
#        # try to resolve the IP address
#        try:
#            resolved = socket.gethostbyaddr(ipaddr)
#            hostname = resolved[0]
#            log_message['hostname.dest'] = hostname
#        except:
#            pass
#
#        # return True, other way message is dropped
#        return True
#
#};

log {
    source(s_network);
    destination(d_network);
    log {
        filter(f_main_router);
        parser {
            kv-parser(
                prefix("nf.")
            );
            p_resolver();
            geoip2(
                "${nf.DST}",
                prefix( "geoip2." )
                database( "/etc/syslog-ng/GeoLite2-City.mmdb" )
            );
        };
        rewrite(r_geoip2);
        destination(d_network_firewall);
    };
};