<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000066">
Should probably throw something in there to make that match a little
less ambiguous (so it doesnt match just anything with a % and : in
it).<br>
<br>
<br>
<br>
Sent: Wed Nov 30 2011 12:20:03 GMT-0700 (MST)<br>
From: Martin Holste <a class="moz-txt-link-rfc2396E" href="mailto:mcholste@gmail.com"><mcholste@gmail.com></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: Re: [syslog-ng] syslog-ng 3.3.3 rewrite question regarding
cisco IOS Messages
<blockquote
cite="mid:CANpnLHj6SmdAHsRRzSFmu5UNGFPJxxCaOwxEZ0LFngjtrvBi4Q@mail.gmail.com"
type="cite">
<pre wrap="">That was mine, and I think there's a couple mistakes in it because
there appears to a be a missing parenthesis and a plus sign. Try
this:
match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner <a class="moz-txt-link-rfc2396E" href="mailto:tw@wollner-net.de"><tw@wollner-net.de></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello List,
I try to rewrite cisco IOS syslog messages with timestamps in the
MESSAGE field. I want to remove the timestamp from the message and set
the program to the so called mnemonic of the message..
I found the following example on the list:
...
filter f_rewrite_cisco_program {
match('%([^:]: ([^\n]+)' value("MESSAGE") type("pcre")
flags("store-matches" "nobackref"));
};
rewrite r_cisco_program {
set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
};
log {
source(s_all);
rewrite(r_cisco_program);
destination(d_mydestination);
};
But that does not work. I tried a lot of different rewrite syntaxes,
none of them work for me.
If I just employ the filter f_rewrite_cisco_program I` am able to
filter out the cisco messages.
Sample log line (written with template $R_ISODATE $HOST $MSG):
2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49:
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
I`m using syslog-ng 3.3.3 debian package from madhouse.
How I can rewrite my messages to filter the timestamp in the message field?
any ideas?
Any help is higly welcome,
thanks in advance,
Tom
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</body>
</html>