On Fri, Apr 26, 2013 at 4:16 PM, Rainer Gerhards <[email protected]> wrote: > On Fri, 2013-04-26 at 11:16 +0300, Aleksandr wrote: >> >> PS. In syslog-ng it is possible with creating rewrite rule. >> >> >> >> rewrite test_rule { >> >> subst("SOME_TEXT_FOR_REPLACE", "NEW_TEXT", value("MSG")); >> >> }; >> > >> > I have no idea of what this does ;) It looks like search and replace. But >> > what exactly is searched (especially which field), what is replaced? Does >> > it modify the message itself? Or just the output? >> > >> > Please elaborate. >> >> This example replaces SOME_TEXT_FOR_REPLACE with NEW_TEXT in MESSAGE part. >> But in general it can be used for modifying part of HOST, MESSAGE, >> PROGRAM, or any user-defined macros. >> The only exceptions are the FACILITY, SEVERITY, TAGS, and the >> date-related fields, which cannot be rewritten. >> Rewrite rules can be applied in syslog-ng before sending to >> destination (file, another log server, etc..) > > So in essence this is a search-and-replace of some message fields, and > the fields are permanently replaced with the new value, right? Yep.
> Couple of questions before I can decide if such a thing makes sense > inside rsyslog: > > Is there an advantage of replacing the original content vs. just > replacing the value in the output part? In other words: what's the use > case? (I ask because in the past 10 years nobody ever requested such a > feature). My case was very simple: trimming long program names to shorter for saving disk space. But in general this universal functionality can be used for masking CreditCards numbers in PCI environments log, for anonymization IP addresses what you introduced in v7.3.7 http://blog.gerhards.net/2013/04/log-anonymization-with-rsyslog.html, for filter out unnecessary data from logs before sending it to other log or writing to disk, DB. In real live we can face with case when is not possible change log data on client side... > > What if fields are interdependent, for example msg is a virtual property > which points into rawmsg. So if one is changed, the other changes as > well. > In general, if e.g. fromhost is changed, should/must that be reflected > in rawmsg? Or is it OK if for some properties things become inconsistent > (but for others not, like rawmsg/msg pair). If we can change fromhost in real(not virtual) property then in virtual property it should change aswell. Personally I don't see any problems with this. > If e.g. the fromhost is changed, what happens to associated IP > addresses? > > For fields with required syntax (e.g. fromhost), is a syntax check > necessary? (because otherwise you could include malicious sequences). > > Feedback appreciated, > Rainer Aleksandr _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
