Thanks. I'll give that a shot. I was under the impression that the quotes were
a delimiter for the Regex. Should I leave them out?
Original Message
From: David Lang
Sent: Thursday, January 5, 2017 7:19 PM
To: Matt MacDonald via rsyslog
Cc: Matt MacDonald
Subject: Re: [rsyslog] Help with Regex
On Thu, 5 Jan 2017, Matt MacDonald via rsyslog wrote:
> I am trying to redirect these messages to a different host on the network
> but I need to change the hostname from above to their hostname. The
> messages arrive looking like:
>
> "Jan 5 05:02:42 192.168.10.10-1 TRAMPGR[234234]" traputil.c(534) 34534535
> %MSG%"
>
> I would like to change 192.168.10.10-1 to it's DNS name.
>
> I have tried:
>
> template(name="StupidHell" type="string"
> string="<%PRI%>%TIMESTAMP::date=rfc3339%
> %fromhost% %syslogtag:1:32%%msg::sp-if-no-1st-sp%%msg%")
>
> :hostname, regex "([0-9]{1,3}\.){3}[0-9]{1,3}\-1" { action(type="omfwd"
> Target="
> xxx.xxx.xxx.xxx" Template="StupidHell" Port="514" Protocol="UDP") }
>
> this doesn't seem to work since 1) It seems to match everything and 2) it
> doesn't add the %hromhost% portion.
>
> Any suggestions?
The first thing to do when you don't get the results you expect from a template
or a test is to check what the actual variable contents are.
log with the template RSYSLOG_DebugFormat and it will show you exactly what is
what.
Are you sure the message arriving has the quotes in it? that isn't a legitimate
syslog format, and if the quotes are there, all sorts of things will be wrong
with the resulting variable contents.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
