<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Hithendra,<br>
<br>
I came across this problem just recently, I guess that you want to
handle Solaris logs with the standard Unix analysis ruleset, but the
these tags are in the way. The only difference is, that I moved the
tag to the end of the message (as patterndb does prefix matching,
these don't bother my patterns but are still there). My rewrite rule
is the following:<br>
<br>
rewrite r_solaris<br>
{<br>
#move the solaris header to the end of the message<br>
#to work with linux patterndb<br>
subst("(\[ID [0-9]* [a-z]*\.[a-z]*\])\ " "" value("MESSAGE")
type("pcre") flags(store-matches));<br>
subst("$" " $1" value("MESSAGE") type("pcre"));<br>
};<br>
<br>
If you don't want to move it (backreferencing is quite slow and
resource-intensive), you could just use this untested version:<br>
<br>
rewrite r_solaris<br>
{<br>
subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE")
type("pcre") flags(dont-store-matches));<br>
};<br>
<br>
HTH,<br>
Balint<br>
<br>
<br>
On 06/15/2012 05:39 AM, Balla, Hithendra (EXT-Other - IN/Bangalore)
wrote:
<blockquote
cite="mid:40B9AE2C586C694FB0C8F4AA401BB33101531C7D@SGSIEXC025.nsn-intra.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="MS Exchange Server version
6.5.7654.12">
<title>issue with rewrite. Please help.</title>
<!-- Converted from text/rtf format -->
<p dir="LTR"><span lang="en-us"><font face="Calibri">Hi all,</font></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">We have the
following</font></span><span lang="en-us"><font
face="Calibri"> log</font></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">2012-06-15T09:00:26+05:30
kddi-cm-1-sb 4/6</font></span><span lang="en-us"><b> <font
color="#FF0000" face="Calibri">[ID 800047 auth.info]</font></b></span><span
lang="en-us"><font face="Calibri"> Accepted publickey for xyz</font></span><span
lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">W</font><font
face="Calibri">e</font> <font face="Calibri">wanted to re</font></span><span
lang="en-us"><font face="Calibri">place</font></span><span
lang="en-us"></span><span lang="en-us"><b> <font
color="#FF0000" face="Calibri">[ID 800047 auth.info]</font></b></span><span
lang="en-us"></span><span lang="en-us"> <font face="Calibri">with</font></span><span
lang="en-us"></span><span lang="en-us"><b> <font
color="#FF0000" face="Calibri">empty string</font></b></span><span
lang="en-us"> <font face="Calibri">(i.e.</font></span><span
lang="en-us"> <font face="Calibri">“</font><font
face="Calibri">”</font></span><span lang="en-us"><font
face="Calibri">)</font></span><span lang="en-us"></span><span
lang="en-us"> <font face="Calibri">and print the following</font></span><span
lang="en-us"> </span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">2012-06-15T09:00:26+05:30
kddi-cm-1-sb 4/6 Accepted publickey for xyz</font></span><span
lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">S</font><font
face="Calibri">o</font> <font face="Calibri">we have used
the below re-write with subst. But this is not working</font></span><span
lang="en-us"><font face="Calibri"> i</font><font
face="Calibri">n</font></span><span lang="en-us"></span><span
lang="en-us"><b> <font face="Calibri">syslog-ng 3.4.</font><font
face="Calibri">0alpha2</font></b></span><span lang="en-us"><font
face="Calibri">. </font></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font color="#632423"
face="Calibri">rewrite rw_msg{</font></span><span
lang="en-us"><b><font color="#632423" face="Calibri">subst</font></b></span><span
lang="en-us"><font color="#632423" face="Calibri">("\\[.*\\]",
"", value("MESSAGE"));};</font></span><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">Can somebody
help out here?</font></span></p>
<p dir="LTR"><span lang="en-us"></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">T</font><font
face="Calibri">hanks</font></span></p>
<p dir="LTR"><span lang="en-us"><font face="Calibri">Hithendra</font></span><span
lang="en-us"></span></p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</body>
</html>