This is the RE case I posted in forum last week and output module is the best to achieve it.
Here is the case I described: " For example, a typical firewall log: 192.168.20.5 23456 192.168.10.10 80 Accept Web 192.168.20.6 5678 192.168.10.10 22 Deny SSH If I want to have the xml form of them, it could be : <srcip>192.168.20.5</srcip><dstip>192.168.10.10</dstip><srcport>23456</srcport><dstport>80</dstport><action>Accept</action><comment>Web</comment> <srcip>192.168.20.6</srcip><dstip>192.168.10.10</dstip><srcport>5678</srcport><dstport>22</dstport><action>Deny</action><comment>SSH</comment> If I understand correctly for template, I had to do RE for 6 times for each log entry and that could cause performance issue in large environment for sure. " So I need to rewrite the msg in the output module, please let me know where to find some sample code or doc. And here is one more question: "One thing I want to make sure is the output plugin which I will make should be still able to use other output method such as syslog/snmp etc with the converted message, right? ." I was able to create my own output module based on the stdout module but could not figure out how to rewrite the msg back to rsyslog so the rewritten msg can be used by other output module. Is this doable? Thanks a lot. -- John On Wed, May 26, 2010 at 3:28 PM, Rainer Gerhards <[email protected]>wrote: > You need to look into templates. It is quite easy to rewrite message > content with templates. There are samples in the doc and in the wiki. > > Rainer > > ----- Ursprüngliche Nachricht ----- > Von: John Li <[email protected]> > Gesendet: Mittwoch, 26. Mai 2010 18:53 > An: rsyslog-users <[email protected]> > Betreff: Re: [rsyslog] Where is the output module for the udp > transportationtoremote syslog server > > Thanks. > > My goal is to change the content of msg and I am planning to use output > module to do that. Is this the right approach and do you mind point me to > some sample code in output module to do that? > > > -- > John Jun Li > [email protected] > > My Blog: http://www.jlisbz.com > My LinkedIn Profile: http://www.linkedin.com/in/johnjunli > > > > On Wed, May 26, 2010 at 11:36 AM, Rainer Gerhards > <[email protected]>wrote: > > > This is a built-in module, it does not need to be loaded (it is actually > > linked into the main executable). > > > > HTH > > Rainer > > > > ----- Ursprüngliche Nachricht ----- > > Von: John Li <[email protected]> > > Gesendet: Mittwoch, 26. Mai 2010 07:03 > > An: [email protected] <[email protected]> > > Betreff: [rsyslog] Where is the output module for the udp transportation > > toremote syslog server > > > > Hi, > > > > Is the output via udp to remote syslog server implemented as a output > > module? I could not find it in the plugins folder. > > > > Thanks. > > > > -- > > John Jun Li > > [email protected] > > > > My Blog: http://www.jlisbz.com > > My LinkedIn Profile: http://www.linkedin.com/in/johnjunli > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
