<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>That did the trick! Thanks :)<br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Matthew Hall <mhall@mhcomputing.net><br><b><span style="font-weight: bold;">To:</span></b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br><b><span style="font-weight: bold;">Sent:</span></b> Tue, January 25, 2011 4:51:38 PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [syslog-ng] syslog-ng - Apache Logging<br></font><br>
<br>On Tue, Jan 25, 2011 at 12:55:06PM -0800, Steven Shepherd wrote:<br>> I have Apache logging working via a named pipe, however the log looks like:<br>> <br>> Jan 25 14:44:13 $HOSTNAME $VIRTUAL_HOST: 000.000.000.000 - - <br>> [25/Jan/2011:14:44:13 -0600] "GET /foo.html HTTP/1.0" 200 24040 "-" "Wget/1.10.2 <br>> (Red Hat modified)"<br>> <br>> I want to strip the syslog timestamp and $HOSTNAME. However, if I use <br>> "template("$MSGONLY\n")", it strips the timestamp, hostname *and* the <br>> $virtual_host (obtained from including "%V" in LogFormat and using 'vcommon' on <br>> apache server).<br>> <br>> Any ideas on how to remove the syslog data but leave the vhost data in place?<br>> <br>> Cheers!<br><br>You probably want to look at MSGHDR.<br><br>The default syslog format is:<br><br>By default, syslog-ng sends messages using the following template: $ISODATE $HOST $MSGHDR$MSG\n. (The $MSGHDR$MSG part is
written together because the $MSGHDR macro includes a trailing whitespace.)<br><br><span>-- <a target="_blank" href="http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html">http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/index.html-single.html</a></span><br><br>Make sure to read over the definitions of the vars.<br><br>You can use rewrites and sets to put the value of these locked (unchangeable) vars into other vars, and then edit the value of the new vars with PCRE and such, to contain just the desired data.<br><br>Matthew.<br>______________________________________________________________________________<br>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br><span>Documentation: <a target="_blank"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></span><br><span>FAQ: <a target="_blank" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></span><br><br></div></div>
</div></body></html>