Hi, I've been strumming the documentation and looking through the answers site, so far unable to come up with a solution to the topic problem. Appreciate any advice!
Working with archived data from remote systems that include output of unix/linux style "iptables -L" command. We want to search the info according to ACCEPTs, src addresses, etc.
Individual lines in the data don't have date/time info or "chain" names, so I wrote a python script that reads stdin and outputs lines with date/time and series of name=value pairs. I hoped to get this working from props.conf with a stanza that looks roughly thus:
[source::.../iptables-log*]
sourcetype = iptables-trafficlog
[iptables-trafficlog]
invalid_cause = archive
unarchive_cmd = python interpret-iptables-eventlog.py
That didn't seem to work much 😞 My hypothesis right now is that input processing isn't finding either the python interpreter or my script. My questions are (1) is what I'm attempting supposed to work? and (2) Where do I deploy my script and how specify its invocation within props.conf? (3) Is there a much simpler or obvious solution that I've overlooked?
thanks so much for your time and attention!
--A Newbie
... View more