Re: [rsyslog] how to rewrite/delete part of message

Fri, 26 Apr 2013 01:41:48 -0700 

On Fri, 26 Apr 2013, Aleksandr wrote:


Subject: [rsyslog] how to rewrite/delete part of message

Hi all,

could someone help with creating rsyslog configuration for
rewriting/deleting part of message.
Position of this part is dynamic (it can be on different position in
syslog message).

I have looked The Property Replacer documentation, but looks like it
can't be achieved with it.

OS: Debian Stable (Squeeze)
Rsyslog version: 5.8.11-1~bpo60+2

PS. In syslog-ng it is possible with creating rewrite rule.

rewrite test_rule {
    subst("SOME_TEXT_FOR_REPLACE", "NEW_TEXT", value("MSG"));
};


I have no idea of what this does ;) It looks like search and replace. But what 
exactly is searched (especially which field), what is replaced? Does it modify 
the message itself? Or just the output?

Please elaborate.


This example replaces SOME_TEXT_FOR_REPLACE with NEW_TEXT in MESSAGE part.
But in general it can be used for modifying part of HOST, MESSAGE,
PROGRAM, or any user-defined macros.
The only exceptions are the FACILITY, SEVERITY, TAGS, and the
date-related fields, which cannot be rewritten.
Rewrite rules can be applied in syslog-ng before sending to
destination (file, another log server, etc..)
Ok, rsyslog does not have this, but since V7 has added the ability to set variables, including with regex matches, you could probably cobble something together 

set var1 to a regex match of everything before SOME_TEXT_FOR_REPLACE
set var2 to a regex match of everything after SOME_TEXT_FOR_REPLACE
set template to var1NEW_TEXTvar2

there is development in this area, but there's a lot of stuff happening.

I think what would fit best with existing rsyslog commands would be a

set var1 = sed(SOME_TEXT_FOR_REPLACE,NEW_TEXT,var2)

that would set var1 as the result of doing the sed on var2.
since there is already a regex match, it doesn't seem like it would be too hard to create a varient that replaced the match with a new string, but this would definantly take some careful work. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to