{"id":145,"date":"2015-01-20T09:58:08","date_gmt":"2015-01-20T09:58:08","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=145"},"modified":"2017-01-31T11:50:29","modified_gmt":"2017-01-31T11:50:29","slug":"orchids-inputs-conf","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=145","title":{"rendered":"orchids-inputs.conf"},"content":{"rendered":"<p>The <code>orchids-inputs.conf<\/code> configuration file describes where Orchids will take its inputs from. It organizes <a title=\"Input modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=126\">input modules<\/a> and <a title=\"Dissection modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131\">dissection modules<\/a>. Think of it as plumbing:<\/p>\n<ul>\n<li>Use input modules to obtain data from event sources<\/li>\n<li>Use dissection modules as pipes.<\/li>\n<\/ul>\n<h3>Input<\/h3>\n<p>Orchids can take data from several sources.\u00a0 Declare a new source by writing a directive of the form <code>INPUT<\/code> <em>module-name<\/em> <em>tag<\/em>.<\/p>\n<p>This states that a new instance of module <em>module-name<\/em> should be used to obtain data from source <em>tag<\/em>. What <em>tag<\/em> is depends on the module. For example:<\/p>\n<pre> INPUT textfile \"\/var\/log\/messages\"<\/pre>\n<p>instructs Orchids to open file <code>\/var\/log\/messages<\/code> for reading, and to use the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module for that purpose.\u00a0 As another example,<\/p>\n<pre>INPUT udp 514<\/pre>\n<p>tells Orchids to listen on port 514 for UDP packets, and to use the <a title=\"The udp module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=171\"><code>udp<\/code><\/a> module for that purpose.<\/p>\n<p>Once Orchids is running, every input module thus declared will wait for input on the given data sources, and convert it into series of Orchids events.<\/p>\n<p>Orchids events are records, namely lists of pairs (<em>field-name<\/em>, <em>field-value<\/em>).\u00a0 For Orchids events produced by input modules, two of these fields play a special role:<\/p>\n<ul>\n<li>The <strong>next-to-last<\/strong> field usually replicates the <em>tag<\/em>, as a string.\u00a0 This allows one to know from which text file the event was obtained (in the case of the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module ) for example.\u00a0 However, its main purpose is to connect the Orchids event to the right dissection module.<\/li>\n<li>The <strong>last<\/strong> field contains the useful content that was just read by the module: a line of text for the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module (of type <code>str<\/code>), an array of raw bytes for the <a title=\"The udp module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=171\"><code>udp<\/code><\/a> module (of type <code>bstr<\/code>).<\/li>\n<\/ul>\n<p>See the <a title=\"Input modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=126\">input modules<\/a> page for more details.<\/p>\n<h3>Dissection<\/h3>\n<p>One can then connect data obtained by input modules to dissection modules by issuing directives of the form <code>DISSECT<\/code> <em>dissection-module<\/em> <em>input-module<\/em> <em>tag<\/em>.\u00a0 The purpose of dissection modules is to parse data from the last fields of Orchids events.\u00a0 For example:<\/p>\n<pre>DISSECT syslog\u00a0textfile \"\/var\/log\/messages\"<\/pre>\n<p>instructs Orchids to direct any Orchids event obtained by the <a title=\"The textfile module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module with tag <code>\/var\/log\/messages<\/code> to be fed to the <a title=\"The syslog module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=157\"><code>syslog<\/code><\/a> module for further dissection (parsing).<\/p>\n<p>The <em>input-module<\/em> is in fact not restricted to be an input module, and can be a dissection module as well, allowing for cascades of dissection modules.\u00a0 For example, declaring:<\/p>\n<pre>INPUT\t\t\t        udp\t514\r\nDISSECT\t\tbintotext\tudp\t514\r\nDISSECT\t\tsyslog\t  bintotext\t514<\/pre>\n<p>states that any data obtained from a UDP connection over port 514 should be fed to the <a title=\"The bintotext module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=121\"><code>bintotext<\/code><\/a> module (to convert raw packets into sequences of text lines), and that the resulting lines should be fed to the <a title=\"The syslog module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=157\"><code>syslog<\/code><\/a> module.\u00a0 This is how remote events obtained through UDP, in <a title=\"syslog format\" href=\"https:\/\/en.wikipedia.org\/wiki\/Syslog#Format_of_a_Syslog_packet\">syslog format<\/a>, should be presented to Orchids.<\/p>\n<p>See the <a title=\"Dissection modules\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131\">dissection modules<\/a> pages for more details.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The orchids-inputs.conf configuration file describes where Orchids will take its inputs from. It organizes input modules and dissection modules. Think of it as plumbing: Use input modules to obtain data from event sources Use dissection modules as pipes. Input Orchids can take data from several sources.\u00a0 Declare a new source by writing a directive of &hellip; <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=145\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">orchids-inputs.conf<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-145","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=145"}],"version-history":[{"count":7,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/145\/revisions"}],"predecessor-version":[{"id":546,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/145\/revisions\/546"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}