On Fri, Jun 18, 2010 at 1:48 AM, Rainer Gerhards <[email protected]> wrote: > > One thing that you (RB) brought up is very interesting: the ability to parse > a message multiple times. Would that actually be useful? So far, I have > worked on the assumption that a message will be parsed exactly once, thinking > that the parser is bound to a device-specific format (and all messages from > the same device have the same format). Note that even today it is possible to > MODIFY messages after they are parsed. Message modification modules do that. > However, there currently does not exist any such module. I had no need to > create one and as it looks nobody else had ;)
I think multiple parsings would make sense if the method to do the parser passes worked something like this: 1. First ruleset, multiple source inputs, extremely simple pattern match 2. Second with very complex rules for rare cases where only 10% of traffic inbound to first ruleset makes it. Would this be a good application of omruleset, or would there be a more efficient method? Secondly, rsyslog already modifies the stream in sometimes difficult to understand ways. You'd be surprised how many syslog sources completely ignore the expected format. That said, I would LOVE to have something that could rewrite a log line based on some variation of tokens or regex (a la awk). Full regex would probably be required, but it would be nice to also have a simple interface as well. -Aaron _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
