On Tue, 28 May 2013, [email protected] wrote:
Hello list!
[This message is in response to
http://lists.adiscon.net/pipermail/rsyslog/2013-March/032011.html. I hope the
"in-reply-to" header is taken over from the mailto-url to Outlook.]
I am searching for the same (or similar) thing. Neither lognorm nor rsyslog's
property-replacer options allow me to extract a string "from a certain field till
the end". In my case messages are of the form
May 28 17:46:45: [0001]: %SNMP-6-INFO: authenticationFailure notification sent
to 10.11.12.13:123
(yes, the date is also part of the message, so in the raw message the date can
be found twice).
The %SNMP-6-INFO part varies and could as well be %AAA-6-INFO or other strings, so a
simple %msg:40:$% won't do the trick. Also the field-based extraction won't help because
there is no such thing as %msg:F,58:6-% (which ideally would output the 6th and all
subsequent fields separated by a ":", similar to the unix cut command).
So I'm struggling to get such a seemingly easy task as "everything from there till
the end" configured in rsyslog. Is there really no way other than (resource hungry)
regular expressions?
hmm, there is the 'from here to character X' option, what if you make character
X be a newline?
David Lang
Thanks and best regards,
Alex
PS: There is something quite odd in the lognorm help. In chapter "Rulebase" there is an expression
"%INBOUND:char-to:-\x3a". My understanding is that for char-to the additional information field
must be a single char, but here it is "-\x3a", i.e. two chars (dash and colon).
PPS: Also, the help text for char-to is quite misleading, stating "the field will be defined
by the sign in the additional information" while it should probably be more something akin to
"the field will be defined by everything until, but excluding, the sign in the additional
information".
Unfortunately, I can't match only part of a string with liblognorm so I must match
everything ... except that everything after the "05 :" part is not matchable.
Ideally, this would be double quoted and thus, I could use the quoted-string
identifier but unfortunately, this is not the case.
Is there a way to do something like "char-to" which can take the whole string
until the end of the line ?
I tried something like this : %message:char-to:A% but it doesn't work :(
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
