I was referring to these quotes.
"Jan 5 05:02:42 192.168.10.10-1 TRAMPGR[234234]" traputil.c(534) 34534535 %MSG%"
David Lang On Thu, 5 Jan 2017, Matt MacDonald wrote:
Date: Thu, 05 Jan 2017 19:25:48 -0500 From: Matt MacDonald <[email protected]> To: David Lang <[email protected]>, Matt MacDonald via rsyslog <[email protected]> Subject: Re: [rsyslog] Help with Regex Thanks. I'll give that a shot. I was under the impression that the quotes were a delimiter for the Regex. Should I leave them out? Original Message From: David Lang Sent: Thursday, January 5, 2017 7:19 PM To: Matt MacDonald via rsyslog Cc: Matt MacDonald Subject: Re: [rsyslog] Help with Regex On Thu, 5 Jan 2017, Matt MacDonald via rsyslog wrote:I am trying to redirect these messages to a different host on the network but I need to change the hostname from above to their hostname. The messages arrive looking like: "Jan 5 05:02:42 192.168.10.10-1 TRAMPGR[234234]" traputil.c(534) 34534535 %MSG%" I would like to change 192.168.10.10-1 to it's DNS name. I have tried: template(name="StupidHell" type="string" string="<%PRI%>%TIMESTAMP::date=rfc3339% %fromhost% %syslogtag:1:32%%msg::sp-if-no-1st-sp%%msg%") :hostname, regex "([0-9]{1,3}\.){3}[0-9]{1,3}\-1" { action(type="omfwd" Target=" xxx.xxx.xxx.xxx" Template="StupidHell" Port="514" Protocol="UDP") } this doesn't seem to work since 1) It seems to match everything and 2) it doesn't add the %hromhost% portion. Any suggestions?The first thing to do when you don't get the results you expect from a template or a test is to check what the actual variable contents are. log with the template RSYSLOG_DebugFormat and it will show you exactly what is what. Are you sure the message arriving has the quotes in it? that isn't a legitimate syslog format, and if the quotes are there, all sorts of things will be wrong with the resulting variable contents. David Lang
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
