Sunday, September 20, 2015

Adding OpenWRT sourcetype

I've made some modifications to the props.conf and added the new source type:

[syslog]
TRANSFORMS-changesourcetype = fios, pfsense, asus, netgear, skyhub, linksys, mikro, openwrt
[openwrt]
# Based on Asus RT-N66U router syslog output.
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = ^[^\]\n]*\]\s+(?P<action>\w+)
pulldown_type = 1
LOOKUP-action_lookup = action_lookup action OUTPUT action2

And made a quick change to the transforms.conf to include openwrt :

[openwrt]
# Make sure that this matches the hostname of your router, openwrt is just an example.
REGEX = openwrt
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::openwrt
DEST_KEY = MetaData:Sourcetype


Special thanks to @LodiHensen [twitter] for helping test out this source type on OpenWRT.

I will add these updates to the next release of the home | monitor > app, but for now you can copy these entires for your props.conf and transforms.conf files.

No comments:

Post a Comment