On Fri, 26 Apr 2013, Rainer Gerhards wrote:
On Fri, 2013-04-26 at 11:16 +0300, Aleksandr wrote:
PS. In syslog-ng it is possible with creating rewrite rule.
rewrite test_rule {
subst("SOME_TEXT_FOR_REPLACE", "NEW_TEXT", value("MSG"));
};
I have no idea of what this does ;) It looks like search and replace. But what
exactly is searched (especially which field), what is replaced? Does it modify
the message itself? Or just the output?
Please elaborate.
This example replaces SOME_TEXT_FOR_REPLACE with NEW_TEXT in MESSAGE part.
But in general it can be used for modifying part of HOST, MESSAGE,
PROGRAM, or any user-defined macros.
The only exceptions are the FACILITY, SEVERITY, TAGS, and the
date-related fields, which cannot be rewritten.
Rewrite rules can be applied in syslog-ng before sending to
destination (file, another log server, etc..)
So in essence this is a search-and-replace of some message fields, and
the fields are permanently replaced with the new value, right?
Couple of questions before I can decide if such a thing makes sense
inside rsyslog:
Is there an advantage of replacing the original content vs. just
replacing the value in the output part? In other words: what's the use
case? (I ask because in the past 10 years nobody ever requested such a
feature).
What if fields are interdependent, for example msg is a virtual property
which points into rawmsg. So if one is changed, the other changes as
well.
In general, if e.g. fromhost is changed, should/must that be reflected
in rawmsg? Or is it OK if for some properties things become inconsistent
(but for others not, like rawmsg/msg pair).
If e.g. the fromhost is changed, what happens to associated IP
addresses?
For fields with required syntax (e.g. fromhost), is a syntax check
necessary? (because otherwise you could include malicious sequences).
in rsyslog 7 I think this makes more sense as a function that you can use to
create a new variable (that can then be used in an output template)
It avoids all the problems with changing other variables that you don't expect,
and there would be no reason to limit it to a few propterties, it could be used
with anything (including parsed JSON properties)
The use cases I see for it are:
1. data masking
2. a poor-man's version of table-lookup type functionality (changing a regex
match to fixed text)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
