<p dir="ltr"><br>
On Sep 7, 2015 6:11 PM, "Giovanni Mancuso" <<a href="mailto:giovanni.mancuso@par-tec.it">giovanni.mancuso@par-tec.it</a>> wrote:<br>
><br>
> Hi, <br>
><br>
> I have an application that log date in every rows. The problem is that the string isn't in specific part of MESSAGE, but it could be the first element or the last element, or in the middle :-) :-) <br>
><br>
> For example (only MESSAGE):<br>
> User: <a href="mailto:user1@example.com">user1@example.com</a> Date: 12/12/2014 Status: OK <br>
> User: <a href="mailto:user2@example.com">user2@example.com</a> ID: 1234 Status: DEL ....... Date: 03/05/2014<br>
> Date: 05/08/2015 User: <a href="mailto:user3@example.com">user3@example.com</a> ....... Stauts: OK<br>
> .........<br>
><br>
> I want split the log in more files arranged in different path builded by the date information, for example /LOGS/YYYY/MM/DD/mylog.log.<br>
><br>
> I do:<br>
> rewrite r_rewrite_set { <br>
> set("$(python get_data)", value("APP.DATE")); <br>
> }; <br>
><br>
> python{ <br>
> import re <br>
> def get_data(logmsg): <br>
> out=None <br>
> vars(logmsg) <br>
> out = re.findall(" Date: (\d\d/\d\d/\d\d\d\d) ", logmsg.MESSAGE) <br>
> if len(out) == 1: <br>
> return out[0] <br>
> else: <br>
> raise Exception("Invalid match") <br>
> };<br>
><br>
> In this way i have in APP.DATE the date.<br>
> Now i have a some questions:<br>
> 1) Is there another way to do this without python?</p>
<p dir="ltr">Well, this should be possible with a simple regexp filter.<br></p>
<p dir="ltr">> 2) In this way for every message, syslog-ng forks and exec a python interpreter?</p>
<p dir="ltr">No, it embeds a Python interpreter.<br></p>
<p dir="ltr">> 3) Is there a way to add custom SDATA field from python? Or is there a way to create APP.DATE from python without rewrite rule?</p>
<p dir="ltr">Not right now.<br></p>
<p dir="ltr">> 4) Is there a documentation about python{}? I only found a post in a blog.</p>
<p dir="ltr">It's being prepared by the tech writer team in BalaBit</p>
<p dir="ltr">><br>
> Thanks<br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
</p>