> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Aaron Wiebe > Sent: Friday, June 18, 2010 2:57 PM > To: rsyslog-users > Subject: Re: [rsyslog] feedback requested: NEW rsyslog.conf format > > On Fri, Jun 18, 2010 at 1:48 AM, Rainer Gerhards > <[email protected]> wrote: > > > > One thing that you (RB) brought up is very interesting: the ability > to parse > > a message multiple times. Would that actually be useful? So far, I > have > > worked on the assumption that a message will be parsed exactly once, > thinking > > that the parser is bound to a device-specific format (and all > messages from > > the same device have the same format). Note that even today it is > possible to > > MODIFY messages after they are parsed. Message modification modules > do that. > > However, there currently does not exist any such module. I had no > need to > > create one and as it looks nobody else had ;) > > I think multiple parsings would make sense if the method to do the > parser passes worked something like this: > > 1. First ruleset, multiple source inputs, extremely simple pattern > match > 2. Second with very complex rules for rare cases where only 10% of > traffic inbound to first ruleset makes it. > > Would this be a good application of omruleset, or would there be a > more efficient method?
The fundamental design (currently) is that a message is parsed exactly once. So that would probably not work as you expect. But note that the rawmessage is always kept in %rawmsg%, so whatever an output wants to do, it can do based on the original message content. > Secondly, rsyslog already modifies the stream in sometimes difficult > to understand ways. You'd be surprised how many syslog sources > completely ignore the expected format. Not the least ;) This is what parser modules are actually for: they should match the format of a given source, assuming that a single source emits a malformed, but consistent format. > That said, I would LOVE to > have something that could rewrite a log line based on some variation > of tokens or regex (a la awk). Full regex would probably be required, > but it would be nice to also have a simple interface as well. While not easy for the average user, the new strgen moduls can be used to do that, and do it in a high-performance way (because they are C programs). They can work on %rawmsg%, so you can do whatever format mangling you would like to do. Rainer > > -Aaron > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
