[syslog-ng] rewrite part of the message...

[Russell Fulton]

Apologies to those of you who have already seen this on the ELSA list.

I want to get rid of the explanatory essay that accompanies some eventlog messages from windows.

I tried this:

rewrite r_snarex { subst("\s+This event is generated when[^|]+\|", "|", value("MSGONLY") type("pcre"));
};

and added it to log section, but it did not work.  I have tried various variations on the theme too.

Russell