$msg is created at the initial parsing of the raw event. Although it
can be modified (separate subject), it is generally not recommended to
do so. The same is true for $rawmsg. Best to leave them alone and
create what you need from them.
Regards,
On 3/13/19 12:48 PM, Secrist, Eric via rsyslog wrote:
Thank you Flo and John for your help. I could not get the replace function to
work with $msg, so I created an intermediary variable called $!emsg in the
ruleset. I am not sure why the replace function did not work with $msg.
Here is the config that finally worked:
template(name="isilon_tmpl" type="string"
string="%TIMESTAMP:::date-rfc3339% %HOSTNAME%
%syslogtag%%$!csv_msg%\n")
ruleset(name="isilon_rset") {
if ($msg contains "astring" or $msg contains "another_string" or $msg contains
"another_string") then {
set $!emsg = $msg;
set $!csv_msg = replace($!emsg,"|",",");
action(type="omfile" FileCreateMode="0644" File="/var/log/remote/msg/eric-test"
template="isilon_tmpl")
}
}
input(type="imudp" port="514" ruleset="isilon_rset")
The above results in a message formatted like this:
2019-03-13T10:43:54-07:00 xxx-xxx-xxxx-9 audit_protocol[17951]:
S-1-22-1-0,0,System,1,10.200.148.101,NFS,CLOSE,SUCCESS,DIR,0:0,0:0,5527332821,/path/to/file
Success! Thank you so much!
-Eric
From: Flo Rance <[email protected]>
Sent: Wednesday, March 13, 2019 10:19 AM
To: rsyslog-users <[email protected]>
Cc: Secrist, Eric <[email protected]>
Subject: Re: [rsyslog] [External] Re: String replacement
You should read the following announcement:
https://www.rsyslog.com/rsyslog-version-numbering-change/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rsyslog.com_rsyslog-2Dversion-2Dnumbering-2Dchange_&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=_q6hKGwqpPlGjr6D42tWuYpaDt45L1XVUjDtz2GFyn8&e=>
For your parsing error, you're mixing different syntax.
template(name="isilon_tmpl" type="list") {
property(name="$!modmsg")
constant(value="\n")
}
Flo
On Wed, Mar 13, 2019 at 4:25 PM Secrist, Eric via rsyslog
<[email protected]<mailto:[email protected]>> wrote:
Thanks for the response John. I upgraded to version 8.1903.0 from version 8.24.
I find it strange that 8.1903 is a more recent version than 8.24.
I attempted to use your approach but ran into parsing config file errors.
Here are the statements that produced the parsing errors:
set $!modmsg = replace($msg,"|",",");
template(name="isilon_tmpl" type="list") {
string="$!msg\n"
property(name="$!modmsg")
}
I also tried using the property statement as you described, outside of the
template definition, but that also produced parsing errors.
-----Original Message-----
From: rsyslog
<[email protected]<mailto:[email protected]>>
On Behalf Of John Chivian
Sent: Tuesday, March 12, 2019 12:25 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: [rsyslog] [External] Re: String replacement
This would be one of those issues where it's best to be at a recent version.
From experience I can say that both JSON property handling and the reliability
of the replace function are greatly improved since 8.24 which is still the
distro default for many. Here's what I do...
set $!modmsg = replace($msg,"{","");
property(name="$!modmsg")
Regards,
On 3/12/19 11:09 AM, Secrist, Eric via rsyslog wrote:
Thank you for the response and great information Flo.
I tried the following and I am seeing blank lines in the output file. It looks
like the $!msg variable is possibly empty?
set $!msg = replace($msg, "|",",");
template(name="isilon_tmpl" type="string"
string="%!msg%\n"
)
From: Flo Rance <[email protected]<mailto:[email protected]>>
Sent: Tuesday, March 12, 2019 2:20 AM
To: rsyslog-users <[email protected]<mailto:[email protected]>>
Cc: Secrist, Eric <[email protected]<mailto:[email protected]>>
Subject: [External] Re: [rsyslog] String replacement
On Mon, Mar 11, 2019 at 11:01 PM Secrist, Eric via rsyslog
<[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>>
wrote:
Hello,
For the following example message:
2019-03-11T14:13:10-07:00 xxxx-xxxx-xxxx-3 audit_protocol[9605]:
S-1-22-1-11111|11111|System|1|11.111.111.11|NFS|CLOSE|SUCCESS|FILE|0:0
|0:0|7528411024|/path/to/file
Are the pipes field delimiters?
Yes, the pipes are field delimiters.
How can I replace the pipes (|s) with commas?
I have tried the following template and many others, but haven't been able to
get the pipe replacement to work yet.
template(name="isilon_tmpl" type="list") {
replace("$msg", "|", ",")
Two problems here. You try to replace in "$msg" string and not $msg property.
Anyway, you can't directly modify $msg property, so you may try:
set $!msg = replace($msg, "|", ",");
and define your template to use $!msg.
}
ruleset(name="isilon_rset") {
if ($msg contains "/ifs/cda/userdata/ctshared") then {
action(type="omfile" FileCreateMode="0644" File="/var/log/remote/msg/eric-test"
template="isilon_tmpl")
}
}
Thanks,
Eric Secrist
_______________________________________________
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_
mailman_listinfo_rsyslog&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcD
oUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJB
ZlQpU9IHwc&s=BQVy0qzeHSmZI9Qi83MMJLwdqKJnw2thoHpFd4-1dak&e=<https://ur<https://urldefense.proofpoint.com/v2/url?u=https-3A__ur&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=Ay6D7UjeRZYh5WBTD-2TFFtrRNNb3qk2Y9Mt66G6fqc&e=>
ldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailman_li<http://ldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailman_li>
stinfo_rsyslog&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnP
ebu6G3M_9z7cs9GV6oLVBaAA&m=8XhT8ajKinq5Dra9Hb3WyTeig-8bImP74XvX3Sh1Uz8
&s=9yIW5Zv2RpKp0qdNbo8FLDccxkb-mAEKQuz9Vao3mrw&e=>
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr
ofessional-2Dservices_&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoU
XyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZl
QpU9IHwc&s=TWxPkaMA6uW2o3aKK5CuPyOvaTXHC-AW0AadBmEuT0c&e=<https://urld<https://urldefense.proofpoint.com/v2/url?u=https-3A__urld&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=J4g4LG0sGj1CsZIKb9z5HEU8B78UhLx-U6JbJ1EP2qs&e=>
efense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2<http://efense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2>
Dservices_&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6
G3M_9z7cs9GV6oLVBaAA&m=8XhT8ajKinq5Dra9Hb3WyTeig-8bImP74XvX3Sh1Uz8&s=i
NjUhhXBm4JxgffTRp0GZbx0W-TX3YL46Zgpbm4Xnbo&e=>
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerh
ards&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z
7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZlQpU9IHwc&s=-jYFa4Y
PhJAkVumTBDXMArLcuFpPtHfDnfqBVQEjts8&e=<https://urldefense.proofpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.proofpoint&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=2YgcXP_EQtvP8HQzQNzFcWsv4lZOoh2Y9x7F1KyU484&e=>.
com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwMFaQ&c=Sexio4usKrYWFs
rnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=8XhT8ajKinq5D
ra9Hb3WyTeig-8bImP74XvX3Sh1Uz8&s=syIr7Hk0NNCKG1X2NPXWvdxxOTa1Vv1cYb7AF
JDhowY&e=> NOTE WELL: This is a PUBLIC mailing list, posts are
ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_
mailman_listinfo_rsyslog&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcD
oUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJB
ZlQpU9IHwc&s=BQVy0qzeHSmZI9Qi83MMJLwdqKJnw2thoHpFd4-1dak&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr
ofessional-2Dservices_&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoU
XyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZl
QpU9IHwc&s=TWxPkaMA6uW2o3aKK5CuPyOvaTXHC-AW0AadBmEuT0c&e=
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerh
ards&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z
7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZlQpU9IHwc&s=-jYFa4Y
PhJAkVumTBDXMArLcuFpPtHfDnfqBVQEjts8&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZlQpU9IHwc&s=BQVy0qzeHSmZI9Qi83MMJLwdqKJnw2thoHpFd4-1dak&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZlQpU9IHwc&s=TWxPkaMA6uW2o3aKK5CuPyOvaTXHC-AW0AadBmEuT0c&e=
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIGaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=h8SoL-AhMrYoNoDIsBXbdL5wPpDcPDmJBZlQpU9IHwc&s=-jYFa4YPhJAkVumTBDXMArLcuFpPtHfDnfqBVQEjts8&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=A2jFw_bHWaQ8dNFkp64Wy6qct9H91MhbWmY7l9AN9-w&e=>
http://www.rsyslog.com/professional-services/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=PQ7WfDAc21hEdVFJYY4W7llomWDlmT8si7DJgB3qego&e=>
What's up with rsyslog? Follow
https://twitter.com/rgerhards<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwMFaQ&c=Sexio4usKrYWFsrnxgjbcQ&r=pqAh5TkcDoUXyfMplnPebu6G3M_9z7cs9GV6oLVBaAA&m=gLVZMHXBSJ22hB7eB1EKjkG7-SXv77IAPJ2r5M0QU1Q&s=GCfM-ABs4CH2EtOGRleSsCgksTywyQTyAqHWRSwglGc&e=>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
