On Fri, 2013-04-26 at 11:16 +0300, Aleksandr wrote:
> >> PS. In syslog-ng it is possible with creating rewrite rule.
> >>
> >> rewrite test_rule {
> >> subst("SOME_TEXT_FOR_REPLACE", "NEW_TEXT", value("MSG"));
> >> };
> >
> > I have no idea of what this does ;) It looks like search and replace. But
> > what exactly is searched (especially which field), what is replaced? Does
> > it modify the message itself? Or just the output?
> >
> > Please elaborate.
>
> This example replaces SOME_TEXT_FOR_REPLACE with NEW_TEXT in MESSAGE part.
> But in general it can be used for modifying part of HOST, MESSAGE,
> PROGRAM, or any user-defined macros.
> The only exceptions are the FACILITY, SEVERITY, TAGS, and the
> date-related fields, which cannot be rewritten.
> Rewrite rules can be applied in syslog-ng before sending to
> destination (file, another log server, etc..)
So in essence this is a search-and-replace of some message fields, and
the fields are permanently replaced with the new value, right?
Couple of questions before I can decide if such a thing makes sense
inside rsyslog:
Is there an advantage of replacing the original content vs. just
replacing the value in the output part? In other words: what's the use
case? (I ask because in the past 10 years nobody ever requested such a
feature).
What if fields are interdependent, for example msg is a virtual property
which points into rawmsg. So if one is changed, the other changes as
well.
In general, if e.g. fromhost is changed, should/must that be reflected
in rawmsg? Or is it OK if for some properties things become inconsistent
(but for others not, like rawmsg/msg pair).
If e.g. the fromhost is changed, what happens to associated IP
addresses?
For fields with required syntax (e.g. fromhost), is a syntax check
necessary? (because otherwise you could include malicious sequences).
Feedback appreciated,
Rainer
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
