On Mon, Mar 11, 2019 at 11:01 PM Secrist, Eric via rsyslog <
[email protected]> wrote:
> Hello,
> For the following example message:
>
> 2019-03-11T14:13:10-07:00 xxxx-xxxx-xxxx-3 audit_protocol[9605]:
> S-1-22-1-11111|11111|System|1|11.111.111.11|NFS|CLOSE|SUCCESS|FILE|0:0|0:0|7528411024|/path/to/file
>
> Are the pipes field delimiters?
>
Yes, the pipes are field delimiters.
> How can I replace the pipes (|s) with commas?
>
> I have tried the following template and many others, but haven't been able
> to get the pipe replacement to work yet.
>
> template(name="isilon_tmpl" type="list") {
> replace("$msg", "|", ",")
>
Two problems here. You try to replace in "$msg" string and not $msg
property. Anyway, you can't directly modify $msg property, so you may try:
set $!msg = replace($msg, "|", ",");
and define your template to use $!msg.
> }
>
> ruleset(name="isilon_rset") {
> if ($msg contains "/ifs/cda/userdata/ctshared") then {
> action(type="omfile" FileCreateMode="0644"
> File="/var/log/remote/msg/eric-test" template="isilon_tmpl")
> }
> }
>
>
> Thanks,
> Eric Secrist
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
