<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>
<div>Would patterndb be an option?</div><div>Thinking one to match each log line type each parsing out the date and whatever else you want. </div><div><br></div><div>Jim</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br>-------- Original message --------<br>From: Giovanni Mancuso <giovanni.mancuso@par-tec.it> <br>Date: 09/07/2015 3:26 PM (GMT-05:00) <br>To: "Scheidler, Balázs" <balazs.scheidler@balabit.com>, Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <br>Subject: Re: [syslog-ng] Parsing message in unstructured rows <br><br>
<div style="color: black;">
<p style="margin: 0 0 1em 0; color: black;"></p>
<p style="margin: 0 0 1em 0; color: black;">Il 07 settembre 2015 21:10:59
"Scheidler, Balázs" <balazs.scheidler@balabit.com> ha scritto:</p>
<p style="margin: 0 0 1em 0; color: black;">> On Sep 7, 2015 6:11 PM,
"Giovanni Mancuso" <giovanni.mancuso@par-tec.it><br>
> wrote:<br>
> ><br>
> > Hi,<br>
> ><br>
> > I have an application that log date in every rows. The problem is
that<br>
> the string isn't in specific part of MESSAGE, but it could be the
first<br>
> element or the last element, or in the middle :-) :-)<br>
> ><br>
> > For example (only MESSAGE):<br>
> > User: user1@example.com Date: 12/12/2014 Status: OK<br>
> > User: user2@example.com ID: 1234 Status: DEL ....... Date:
03/05/2014<br>
> > Date: 05/08/2015 User: user3@example.com ....... Stauts: OK<br>
> > .........<br>
> ><br>
> > I want split the log in more files arranged in different path
builded by<br>
> the date information, for example /LOGS/YYYY/MM/DD/mylog.log.<br>
> ><br>
> > I do:<br>
> > rewrite r_rewrite_set {<br>
> > set("$(python get_data)", value("APP.DATE"));<br>
> > };<br>
> ><br>
> > python{<br>
> > import re<br>
> > def get_data(logmsg):<br>
> > out=None<br>
> > vars(logmsg)<br>
> > out = re.findall(" Date: (\d\d/\d\d/\d\d\d\d) ",
logmsg.MESSAGE)<br>
> > if len(out) == 1:<br>
> > return out[0]<br>
> > else:<br>
> > raise
Exception("Invalid match")<br>
> > };<br>
> ><br>
> > In this way i have in APP.DATE the date.<br>
> > Now i have a some questions:<br>
> > 1) Is there another way to do this without python?<br>
><br>
> Well, this should be possible with a simple regexp filter.</p>
<p style="margin: 0 0 1em 0; color: black;">I try to use a filter regexp,
but i don't find the solution. Have you an example?</p>
<p style="margin: 0 0 1em 0; color: black;">><br>
> > 2) In this way for every message, syslog-ng forks and exec a
python<br>
> interpreter?<br>
><br>
> No, it embeds a Python interpreter.<br>
><br>
> > 3) Is there a way to add custom SDATA field from python? Or is
there a<br>
> way to create APP.DATE from python without rewrite rule?<br>
><br>
> Not right now.<br>
><br>
> > 4) Is there a documentation about python{}? I only found a post
in a blog.<br>
><br>
> It's being prepared by the tech writer team in BalaBit<br>
><br>
> ><br>
> > Thanks<br>
> ><br>
> ><br>
> ><br>
>
______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
> ><br></p>
<p style="margin: 0 0 1em 0; color: black;">Inviato con AquaMail per
Android<br>
<a href="http://www.aqua-mail.com">http://www.aqua-mail.com</a></p>
</div>
</body></html>