> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Xavier Fustero > Sent: Tuesday, January 15, 2013 11:06 AM > To: rsyslog-users > Subject: Re: [rsyslog] Substract string from message > > Hi Rainer,Radu, > > thanks for your answer. I really appreciate both. > > The mmjsonparse example looks very interesting but after Rainer email I am > afraid about performance impact. We have several rsyslog servers on the > cloud and some are pretty busy.
If what Radu posted fits your need, performance is not too much affected. I thought you wanted to actually remove a part of the message. That would required setting and modifying a number of local variables, which would be performance intense. Rainer > > Anyway, thanks a lot for your answers. I will let manager decide on which > direction should we move. > > Kind regards, > Xavi > > On 15 January 2013 10:55, Radu Gheorghe <[email protected]> > wrote: > > > Hi Xavier, > > > > 2013/1/15 Xavier Fustero <[email protected]> > > > > > Hi Radu, > > > > > > thanks for replying. > > > > > > Option 1 doesn't suitable for me as the strings will have different > > length. > > > > > > Regarding option 2 (regular expressions) I tested it and I could use > > > it > > to > > > create dynamic files like I am doing currently using msg:F,58:1. > > However, I > > > can't see how to use it to remove *mydirectory* string from the > > > original message sent by my clients and write this modified message > > > to the log > > file. > > > > > > Option 3 I should upgrade my current rsyslog version. It is planned > > > in > > very > > > close future sprints. Looked at it quickly but not sure 100% if it > > enables > > > me to do this. > > > > > > I have read that version 7 offers structured logs. Does anyone know > > > if > > this > > > enables you to remove some pieces of the original message like the > > > one I want to? If so, is there any good example? > > > > > > > Yes, so from the "sender" machine, you can make your output template > > write something like this for %message%: > > > > @cee: {"directory": "mydirectory1", "actual_message": "this is a test > > message"} > > > > Then on the "receiver" machine, with rsyslog 7 you can use mmjsonparse > > to parse this JSON and use the fields in templates. Here's a good resource: > > http://www.rsyslog.com/receiving-cee-enhanced-syslog-in-rsyslog/ > > > > So once you parse the logs, with the example above you can use the > > variables %$!directory% and %$!actual_message% in your templates. If > > you need to output all the JSON (without the @cee: cookie), use %$!all- > json%. > > > > > > > > > > Thanks a log, > > > > > > > Nice wordplay :) You're welcome :) > > > > Best regards, > > Radu > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
