FWIW I have been looking for this functionally lately as well, mainly to sanitize some of my incoming stuff that uses urlencoded fields that sometimes play merry hell with a few of my templates.
-- Gary F. Sent from my iPhone On Apr 26, 2013, at 8:49, David Lang <[email protected]> wrote: > On Fri, 26 Apr 2013, Rainer Gerhards wrote: > >> On Fri, 2013-04-26 at 11:16 +0300, Aleksandr wrote: >>>>> PS. In syslog-ng it is possible with creating rewrite rule. >>>>> >>>>> rewrite test_rule { >>>>> subst("SOME_TEXT_FOR_REPLACE", "NEW_TEXT", value("MSG")); >>>>> }; >>>> >>>> I have no idea of what this does ;) It looks like search and replace. But >>>> what exactly is searched (especially which field), what is replaced? Does >>>> it modify the message itself? Or just the output? >>>> >>>> Please elaborate. >>> >>> This example replaces SOME_TEXT_FOR_REPLACE with NEW_TEXT in MESSAGE part. >>> But in general it can be used for modifying part of HOST, MESSAGE, >>> PROGRAM, or any user-defined macros. >>> The only exceptions are the FACILITY, SEVERITY, TAGS, and the >>> date-related fields, which cannot be rewritten. >>> Rewrite rules can be applied in syslog-ng before sending to >>> destination (file, another log server, etc..) >> >> So in essence this is a search-and-replace of some message fields, and >> the fields are permanently replaced with the new value, right? >> >> Couple of questions before I can decide if such a thing makes sense >> inside rsyslog: >> >> Is there an advantage of replacing the original content vs. just >> replacing the value in the output part? In other words: what's the use >> case? (I ask because in the past 10 years nobody ever requested such a >> feature). >> >> What if fields are interdependent, for example msg is a virtual property >> which points into rawmsg. So if one is changed, the other changes as >> well. >> >> In general, if e.g. fromhost is changed, should/must that be reflected >> in rawmsg? Or is it OK if for some properties things become inconsistent >> (but for others not, like rawmsg/msg pair). >> >> If e.g. the fromhost is changed, what happens to associated IP >> addresses? >> >> For fields with required syntax (e.g. fromhost), is a syntax check >> necessary? (because otherwise you could include malicious sequences). > > in rsyslog 7 I think this makes more sense as a function that you can use to > create a new variable (that can then be used in an output template) > > It avoids all the problems with changing other variables that you don't > expect, and there would be no reason to limit it to a few propterties, it > could be used with anything (including parsed JSON properties) > > The use cases I see for it are: > > 1. data masking > > 2. a poor-man's version of table-lookup type functionality (changing a regex > match to fixed text) > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
