Thank you for the response and great information Flo.
I tried the following and I am seeing blank lines in the output file. It looks
like the $!msg variable is possibly empty?
set $!msg = replace($msg, "|",",");
template(name="isilon_tmpl" type="string"
string="%!msg%\n"
)
From: Flo Rance <[email protected]>
Sent: Tuesday, March 12, 2019 2:20 AM
To: rsyslog-users <[email protected]>
Cc: Secrist, Eric <[email protected]>
Subject: [External] Re: [rsyslog] String replacement
On Mon, Mar 11, 2019 at 11:01 PM Secrist, Eric via rsyslog
<[email protected]<mailto:[email protected]>> wrote:
Hello,
For the following example message:
2019-03-11T14:13:10-07:00 xxxx-xxxx-xxxx-3 audit_protocol[9605]:
S-1-22-1-11111|11111|System|1|11.111.111.11|NFS|CLOSE|SUCCESS|FILE|0:0|0:0|7528411024|/path/to/file
Are the pipes field delimiters?
Yes, the pipes are field delimiters.
How can I replace the pipes (|s) with commas?
I have tried the following template and many others, but haven't been able to
get the pipe replacement to work yet.
template(name="isilon_tmpl" type="list") {
replace("$msg", "|", ",")
Two problems here. You try to replace in "$msg" string and not $msg property.
Anyway, you can't directly modify $msg property, so you may try:
set $!msg = replace($msg, "|", ",");
and define your template to use $!msg.
}
ruleset(name="isilon_rset") {
if ($msg contains "/ifs/cda/userdata/ctshared") then {
action(type="omfile" FileCreateMode="0644"
File="/var/log/remote/msg/eric-test" template="isilon_tmpl")
}
}
Thanks,
Eric Secrist
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=8XhT8ajKinq5Dra9Hb3WyTeig-8bImP74XvX3Sh1Uz8&s=9yIW5Zv2RpKp0qdNbo8FLDccxkb-mAEKQuz9Vao3mrw&e=>
http://www.rsyslog.com/professional-services/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=8XhT8ajKinq5Dra9Hb3WyTeig-8bImP74XvX3Sh1Uz8&s=iNjUhhXBm4JxgffTRp0GZbx0W-TX3YL46Zgpbm4Xnbo&e=>
What's up with rsyslog? Follow
https://twitter.com/rgerhards<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=8XhT8ajKinq5Dra9Hb3WyTeig-8bImP74XvX3Sh1Uz8&s=syIr7Hk0NNCKG1X2NPXWvdxxOTa1Vv1cYb7AFJDhowY&e=>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
