Thanks Gergely,<div>I was trying to <span style="font-family:arial,sans-serif;font-size:13px">replace myhostname with the IP (removing the "</span><span style="font-family:arial,sans-serif;font-size:13px">Original </span><span style="font-family:arial,sans-serif;font-size:13px">Host=$IP" part of the message would be optional).</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">I thought it would have to be done using something like patterndb, but wasn't sure.</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">I'll try to read up and figure out how to do it, as my patterndb experience is a bit lacking still :-)</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div class="gmail_extra"><br clear="all">______________________________________________________________ <br><br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Wed, Nov 14, 2012 at 5:26 AM, Gergely Nagy <span dir="ltr"><<a href="mailto:algernon@balabit.hu" target="_blank">algernon@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">Clayton Dukes <<a href="mailto:cdukes@gmail.com">cdukes@gmail.com</a>> writes:<br>
<br>
> Hi Folks,<br>
> How can I extract a hostname from the message and replace the source ip<br>
> with that name/ip address?<br>
><br>
> Sample message:<br>
> Nov 13 18:11:00 myhostname mymessage: Original<br>
> Host=192.168.6.3:LOW_THRESHOLD_EVENT<br>
> - 0 AUTHORIZED sessions<br>
><br>
> So, I need a rewrite rule(?) to take 192.168.6.3 and replace $HOST with it:<br>
> Nov 13 18:11:00 92.168.6.3 mymessage:LOW_THRESHOLD_EVENT - 0<br>
> AUTHORIZED sessions<br>
<br>
</div>Do you want to replace 'myhostname' with the IP, or the IP with<br>
myhostname?<br>
<br>
If you want to replace myhostname with the IP, and remove the "Original<br>
Host=$IP" part of the message, you will need to pick out the IP from the<br>
message part (either with patterndb, or some other way), then create a<br>
rewrite rule that removes it from $MESSAGE. Then, on the destination<br>
side, I'd use a template to re-assemble the thing, replacing $HOST with<br>
the extracted IP address.<br>
<br>
If you want to replace the IP with the hostname, that's a little bit<br>
easier:<br>
<br>
rewrite r_subst_ip {<br>
subst("Original Host=[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*", "$HOST",<br>
value("MESSAGE"));<br>
};<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
|8]<br>
<br>
</font></span></blockquote></div><br></div>