<p dir="ltr"></p>
<p dir="ltr">filter extract_date { message("Date: ([0-9]+)" flags(store-matches));</p>
<p dir="ltr">The important part is store-matches because by default syslog-ng doesn't store the values of the groups.</p>
<p dir="ltr">By default syslog-ng stores the value as $1, but that can be changed using the pcre syntax.</p>
<p dir="ltr">(?P<name>group)</p>
<p dir="ltr"><a href="http://regular-expressions.mobi/named.html">http://regular-expressions.mobi/named.html</a></p>
<div class="gmail_quote">On Sep 7, 2015 9:25 PM, "Giovanni Mancuso" <<a href="mailto:giovanni.mancuso@par-tec.it">giovanni.mancuso@par-tec.it</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="color:black">
<p style="margin:0 0 1em 0;color:black"></p>
<p style="margin:0 0 1em 0;color:black">Il 07 settembre 2015 21:10:59
"Scheidler, Balázs" <<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>> ha scritto:</p>
<p style="margin:0 0 1em 0;color:black">> On Sep 7, 2015 6:11 PM,
"Giovanni Mancuso" <<a href="mailto:giovanni.mancuso@par-tec.it" target="_blank">giovanni.mancuso@par-tec.it</a>><br>
> wrote:<br>
> ><br>
> > Hi,<br>
> ><br>
> > I have an application that log date in every rows. The problem is
that<br>
> the string isn't in specific part of MESSAGE, but it could be the
first<br>
> element or the last element, or in the middle :-) :-)<br>
> ><br>
> > For example (only MESSAGE):<br>
> > User: <a href="mailto:user1@example.com" target="_blank">user1@example.com</a> Date: 12/12/2014 Status: OK<br>
> > User: <a href="mailto:user2@example.com" target="_blank">user2@example.com</a> ID: 1234 Status: DEL ....... Date:
03/05/2014<br>
> > Date: 05/08/2015 User: <a href="mailto:user3@example.com" target="_blank">user3@example.com</a> ....... Stauts: OK<br>
> > .........<br>
> ><br>
> > I want split the log in more files arranged in different path
builded by<br>
> the date information, for example /LOGS/YYYY/MM/DD/mylog.log.<br>
> ><br>
> > I do:<br>
> > rewrite r_rewrite_set {<br>
> > set("$(python get_data)", value("APP.DATE"));<br>
> > };<br>
> ><br>
> > python{<br>
> > import re<br>
> > def get_data(logmsg):<br>
> > out=None<br>
> > vars(logmsg)<br>
> > out = re.findall(" Date: (\d\d/\d\d/\d\d\d\d) ",
logmsg.MESSAGE)<br>
> > if len(out) == 1:<br>
> > return out[0]<br>
> > else:<br>
> > raise
Exception("Invalid match")<br>
> > };<br>
> ><br>
> > In this way i have in APP.DATE the date.<br>
> > Now i have a some questions:<br>
> > 1) Is there another way to do this without python?<br>
><br>
> Well, this should be possible with a simple regexp filter.</p>
<p style="margin:0 0 1em 0;color:black">I try to use a filter regexp,
but i don't find the solution. Have you an example?</p>
<p style="margin:0 0 1em 0;color:black">><br>
> > 2) In this way for every message, syslog-ng forks and exec a
python<br>
> interpreter?<br>
><br>
> No, it embeds a Python interpreter.<br>
><br>
> > 3) Is there a way to add custom SDATA field from python? Or is
there a<br>
> way to create APP.DATE from python without rewrite rule?<br>
><br>
> Not right now.<br>
><br>
> > 4) Is there a documentation about python{}? I only found a post
in a blog.<br>
><br>
> It's being prepared by the tech writer team in BalaBit<br>
><br>
> ><br>
> > Thanks<br>
> ><br>
> ><br>
> ><br>
>
______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
> ><br></p>
<p style="margin:0 0 1em 0;color:black">Inviato con AquaMail per
Android<br>
<a href="http://www.aqua-mail.com" target="_blank">http://www.aqua-mail.com</a></p>
</div>
</div>
</blockquote></div>