> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Xavier Fustero > Sent: Tuesday, January 15, 2013 10:28 AM > To: rsyslog-users > Subject: Re: [rsyslog] Substract string from message > > Hi Radu, > > thanks for replying. > > Option 1 doesn't suitable for me as the strings will have different length. > > Regarding option 2 (regular expressions) I tested it and I could use it to > create > dynamic files like I am doing currently using msg:F,58:1. However, I can't see > how to use it to remove *mydirectory* string from the original message sent > by my clients and write this modified message to the log file. > > Option 3 I should upgrade my current rsyslog version. It is planned in very > close future sprints. Looked at it quickly but not sure 100% if it enables me > to > do this. > > I have read that version 7 offers structured logs. Does anyone know if this > enables you to remove some pieces of the original message like the one I > want to? If so, is there any good example?
I think it will be possible, but it's not a main intention and probably requires a lot of config work. Will definitely be pretty slow. I think the most suitable solution is a custom message modification module (a small piece of C code). Adiscon even does these for small money if you do not have the skills and this is for a business need (it's around 500 Euros, so really inexpensive for a company). Rainer > > Thanks a log, > Xavi > > > On 14 January 2013 22:05, Radu Gheorghe <[email protected]> > wrote: > > > Hi Xavier, > > > > I see 3 possible options here: > > 1. Use FromChar from Property Replacer: > > http://www.rsyslog.com/doc/property_replacer.html > > > > But this assumes that your "mydirectory" string has a fixed length, > > otherwise your messages would be cut unevenly. > > > > 2. Use regular expressions (same Property Replacer link should give an > > idea) > > > > Besides it being slow, I'm not sure if it will actually work. AFAIK > > rsyslog's regexps don't get the lazy (?) quantifier. > > > > 3. Use mmnormalize to parse your logs and print out the fields you > > need. I haven't used this myself but I think it should work. Here are > > some > > resources: > > http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/ > > http://www.liblognorm.com/help/creating-a-rulebase/ > > > > Best regards, > > Radu > > > > > > 2013/1/14 Xavier Fustero <[email protected]> > > > > > Hi all, > > > > > > I would like to ask if anyone can help me on getting this fixed. > > > > > > I have several clients sending logs to a central rsyslog server. > > > These clients add a tag called *mydirectory* which is different > > > according the client. Later on the server extracts this tag to > > > create a dynamic log > > file > > > on its side. > > > > > > Client: > > > $template GroupApp,"<%PRI%>%TIMESTAMP:::date-rfc3339% > %HOSTNAME% > > > %syslogtag% *mydirectory*:%msg%\n" > > > local0,local1.* :omrelp:*rsyslog_server*:*myport*;GroupApp > > > > > > Server: > > > # Dynamic template for groupping applications under its mydirectory > > > $template Dyn_AppLogs, "/my_logs/%msg:F,58:1:%/%APP-NAME%.log" > > > > > > This %msg:F,58:1:% seems to be working fine and I get the expected > > > directories created like: > > > > > > /my_logs/mydirectory1/lala.log > > > /my_logs/mydirectory2/lele.log > > > > > > My problem is that I also log mydirectory1,2 in the logs. It is not > > > a big deal but I would like to get rid of this. Can't find the way > > > to remove it from the message. > > > > > > Thanks a log, > > > Xavi > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
