you may want to consider doing this on the input side instead of the output side.
see http://www.rsyslog.com/doc-messageparser.html yes, in many ways it's operating backwards, but it may be significantly less work to implement and maintain it this way. David Lang On Wed, 26 May 2010, John Li wrote: > This is the RE case I posted in forum last week and output module is the > best to achieve it. > > Here is the case I described: > " > For example, a typical firewall log: > 192.168.20.5 23456 192.168.10.10 80 Accept Web > 192.168.20.6 5678 192.168.10.10 22 Deny SSH > > If I want to have the xml form of them, it could be : > <srcip>192.168.20.5</srcip><dstip>192.168.10.10</dstip><srcport>23456</srcport><dstport>80</dstport><action>Accept</action><comment>Web</comment> > <srcip>192.168.20.6</srcip><dstip>192.168.10.10</dstip><srcport>5678</srcport><dstport>22</dstport><action>Deny</action><comment>SSH</comment> > > If I understand correctly for template, I had to do RE for 6 times for each > log entry and that could cause performance issue in large environment for > sure. " > > So I need to rewrite the msg in the output module, please let me know where > to find some sample code or doc. And here is one more question: > > "One thing I want to make sure is the output plugin which I will make should > be still able to use other output method such as syslog/snmp etc with the > converted message, right? ." > > I was able to create my own output module based on the stdout module but > could not figure out how to rewrite the msg back to rsyslog so the rewritten > msg can be used by other output module. Is this doable? > > Thanks a lot. > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
