one problem you will have is that the text in the messages sometimes includes commas.

how are you getting the logs to your program? could you just insert sed into the path? I don't know of a way to do this inside rsyslog without a small custom module.

David Lang

 On Mon, 25 Feb 2013, Woodruff, Dan wrote:

Date: Mon, 25 Feb 2013 21:48:02 +0000
From: "Woodruff, Dan" <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] Replace a character in a message with a different one

We use Snare to capture logs from Windows machines to rsyslog for archival and 
forwarding to other tools. One tool required Snare use a comma as a delimiter 
so all the servers are configured to use a comma. The problem is we have added 
another tool that we would like to forward logs to that wants the original 
Snare delimiter, which is a tab character.

Is there a way to replace all commas in rawmsg with a tab character? I could 
not figure out a way to do this with a template because the message format is 
strange and multiple fields from Snare are combined in the syslog fields. Here 
is (sanitized) debug output:

Debug line with all properties:
FROMHOST: '1.2.3.4', fromhost-ip: '1.2.3.4', HOSTNAME: 'Hostname.domain.com', 
PRI: 134,
syslogtag 'MSWinEventLog,1,Security,695810,Mon', programname: 
'MSWinEventLog,1,Security,695810,Mon', APP-NAME: 
'MSWinEventLog,1,Security,695810,Mon', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 25 16:38:03', STRUCTURED-DATA: '-',
msg: ' Feb 25 16:38:00 
2013,4634,Microsoft-Windows-Security-Auditing,ITS-W2KS02ADR$,N/A,Success 
Audit,Hostname.domain.com,None,,An account was logged off.    Subject:   
Security ID:  S-1-5-21-299502267-36228127-1238915-1106   Account Name:  DCNAME$ 
  Account Domain:  DOMAIN   Logon ID:  0x8178814    Logon Type:   3    This 
event is generated when a logon session is destroyed. It may be positively 
correlated with a logon event using the Logon ID value. Logon IDs are only 
unique between reboots on the same computer.,695323 '
escaped msg: ' Feb 25 16:38:00 
2013,4634,Microsoft-Windows-Security-Auditing,DCNAME$,N/A,Success 
Audit,Hostname.domain.com,None,,An account was logged off.    Subject:   
Security ID:  S-1-5-21-299502267-36228127-1238915-1106   Account Name:  DCNAME$ 
  Account Domain:  DOMAIN   Logon ID:  0x8178814    Logon Type:   3    This 
event is generated when a logon session is destroyed. It may be positively 
correlated with a logon event using the Logon ID value. Logon IDs are only 
unique between reboots on the same computer.,695323 '
inputname: imudp rawmsg: '<134>Feb 25 16:38:03 Hostname.domain.com 
MSWinEventLog,1,Security,695810,Mon Feb 25 16:38:00 
2013,4634,Microsoft-Windows-Security-Auditing,DCNAME$,N/A,Success 
Audit,Hostname.domain.com,None,,An account was logged off.    Subject:   Security ID: 
 S-1-5-21-299502267-36228127-1238915-1106   Account Name:  DCNAME$   Account Domain:  
DOMAIN   Logon ID:  0x8178814    Logon Type:   3    This event is generated when a 
logon session is destroyed. It may be positively correlated with a logon event using 
the Logon ID value. Logon IDs are only unique between reboots on the same 
computer.,695323 '


Any way to do that substitution? Or any other creative solutions?

Thank you in advance,
Dan Woodruff


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to