Hello list! [This message is in response to http://lists.adiscon.net/pipermail/rsyslog/2013-March/032011.html. I hope the "in-reply-to" header is taken over from the mailto-url to Outlook.]
I am searching for the same (or similar) thing. Neither lognorm nor rsyslog's property-replacer options allow me to extract a string "from a certain field till the end". In my case messages are of the form May 28 17:46:45: [0001]: %SNMP-6-INFO: authenticationFailure notification sent to 10.11.12.13:123 (yes, the date is also part of the message, so in the raw message the date can be found twice). The %SNMP-6-INFO part varies and could as well be %AAA-6-INFO or other strings, so a simple %msg:40:$% won't do the trick. Also the field-based extraction won't help because there is no such thing as %msg:F,58:6-% (which ideally would output the 6th and all subsequent fields separated by a ":", similar to the unix cut command). So I'm struggling to get such a seemingly easy task as "everything from there till the end" configured in rsyslog. Is there really no way other than (resource hungry) regular expressions? Thanks and best regards, Alex PS: There is something quite odd in the lognorm help. In chapter "Rulebase" there is an expression "%INBOUND:char-to:-\x3a". My understanding is that for char-to the additional information field must be a single char, but here it is "-\x3a", i.e. two chars (dash and colon). PPS: Also, the help text for char-to is quite misleading, stating "the field will be defined by the sign in the additional information" while it should probably be more something akin to "the field will be defined by everything until, but excluding, the sign in the additional information". > Unfortunately, I can't match only part of a string with liblognorm so I must > match everything ... except that everything after the "05 :" part is not > matchable. > Ideally, this would be double quoted and thus, I could use the quoted-string > identifier but unfortunately, this is not the case. > > > Is there a way to do something like "char-to" which can take the whole string > until the end of the line ? > I tried something like this : %message:char-to:A% but it doesn't work :( _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
