Not totally agree. First, your will lose the flexibility in the input side if you put the rewritten code in the input module. Second, parser looks like to target the syslog format validity instead of message rewritten.
But if it's not possible to rewrite the msg in the output module, I will have to do that in the parser. Can someone please confirm? Thanks. -- John Jun Li [email protected] My Blog: http://www.jlisbz.com My LinkedIn Profile: http://www.linkedin.com/in/johnjunli On Thu, May 27, 2010 at 1:55 AM, <[email protected]> wrote: > you may want to consider doing this on the input side instead of the > output side. > > see http://www.rsyslog.com/doc-messageparser.html > > yes, in many ways it's operating backwards, but it may be significantly > less work to implement and maintain it this way. > > David Lang > > On Wed, 26 May 2010, John Li wrote: > > > This is the RE case I posted in forum last week and output module is the > > best to achieve it. > > > > Here is the case I described: > > " > > For example, a typical firewall log: > > 192.168.20.5 23456 192.168.10.10 80 Accept Web > > 192.168.20.6 5678 192.168.10.10 22 Deny SSH > > > > If I want to have the xml form of them, it could be : > > > <srcip>192.168.20.5</srcip><dstip>192.168.10.10</dstip><srcport>23456</srcport><dstport>80</dstport><action>Accept</action><comment>Web</comment> > > > <srcip>192.168.20.6</srcip><dstip>192.168.10.10</dstip><srcport>5678</srcport><dstport>22</dstport><action>Deny</action><comment>SSH</comment> > > > > If I understand correctly for template, I had to do RE for 6 times for > each > > log entry and that could cause performance issue in large environment for > > sure. " > > > > So I need to rewrite the msg in the output module, please let me know > where > > to find some sample code or doc. And here is one more question: > > > > "One thing I want to make sure is the output plugin which I will make > should > > be still able to use other output method such as syslog/snmp etc with the > > converted message, right? ." > > > > I was able to create my own output module based on the stdout module but > > could not figure out how to rewrite the msg back to rsyslog so the > rewritten > > msg can be used by other output module. Is this doable? > > > > Thanks a lot. > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
