<br><span style=" font-size:10pt;font-family:sans-serif">Hi! Gábor </span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">No the "first
Word" of the Message is the interessting part, which I would like
to "store" or use for further decissions </span>
<br><span style=" font-size:10pt;font-family:sans-serif">e.g.the MESSAGE
could be</span>
<br><span style=" font-size:10pt;font-family:sans-serif">UIMUC4Maintenance.py:
== deactivate_uc4_monitoring = ENDE ==</span>
<br><span style=" font-size:10pt;font-family:sans-serif">or</span>
<br><span style=" font-size:10pt;font-family:sans-serif">SomeOther.py:
Exception at move</span>
<br><span style=" font-size:10pt;font-family:sans-serif">...</span>
<br><span style=" font-size:10pt;font-family:sans-serif">and so on</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">My goal is to
put it in a destination like</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">/var/log/Scripts/UIMUC4Maintenance.py.output</span>
<br><span style=" font-size:10pt;font-family:sans-serif">or</span>
<br><span style=" font-size:10pt;font-family:sans-serif">/var/log/Scripts/SomeOther.py.output</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">in a dynamic way,so
that I dont have to build static filters for every Script</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Like I do this
with $HOST :-)</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Thanks for your
time</span>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">Cheers<br>
Matthias</span>
<br>
<br>
<br><span style=" font-size:10pt;font-family:sans-serif">------------------------------------------------------------------------------------<br>
METZLER <br>
Informationstechnologie<br>
<br>
Matthias Gruber <br>
IT-Infrastruktur & -Betrieb<br>
<br>
B. Metzler seel. Sohn & Co.<br>
Aktiengesellschaft<br>
Untermainanlage 1<br>
60329 Frankfurt am Main<br>
Telefon (0 69) 21 04 - 43 30<br>
Telefax (0 69) 21 04 - 40 40<br>
MGruber@metzler.com<br>
</span><a href=www.metzler.com><span style=" font-size:10pt;font-family:sans-serif">www.metzler.com</span></a>
<br>
<br>
<br>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Von:
</span><span style=" font-size:9pt;font-family:sans-serif">"Nagy
Gábor" <gabor.hl@gmail.com></span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">An:
</span><span style=" font-size:9pt;font-family:sans-serif">"Syslog-ng
users' and developers' mailing list" <syslog-ng@lists.balabit.hu></span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Datum:
</span><span style=" font-size:9pt;font-family:sans-serif">30.06.2021
17:24</span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Betreff:
</span><span style=" font-size:9pt;font-family:sans-serif">Re:
[syslog-ng] Dynamic setting value out of message?</span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Gesendet
von: </span><span style=" font-size:9pt;font-family:sans-serif">"syslog-ng"
<syslog-ng-bounces@lists.balabit.hu></span>
<br>
<hr noshade>
<br>
<br>
<br><span style=" font-size:12pt">Hi Matthias,</span>
<br>
<br><span style=" font-size:12pt">May I ask, is the key 'MESSAGE' fix and
the value is changing between messages?</span>
<br><span style=" font-size:12pt">For that you could parse the incoming
json with json-parser() and store the parsed key-values, then you can easily
set the desired SDATA field with a rewrite rule.</span>
<br>
<br><span style=" font-size:12pt">Alternatively, you can set the "store-matches"
flag for filters and use the matching groups in a follow-up rewrite rule.</span>
<br>
<br><span style=" font-size:12pt">Regards,</span>
<br><span style=" font-size:12pt">Gábor</span>
<br>
<br>
<br><span style=" font-size:12pt">On Tue, 29 Jun 2021, 10:42 Matthias Gruber,
<</span><a href=mailto:MGruber@metzler.com><span style=" font-size:12pt;color:blue"><u>MGruber@metzler.com</u></span></a><span style=" font-size:12pt">>
wrote:</span>
<br><span style=" font-size:10pt;font-family:sans-serif">Hi!</span><span style=" font-size:12pt">
<br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
I hope it is simple and my thoughts and seeks about it were to complicated
:-), simply I didnt know how to do that, perhaps someone has a clue for
me</span><span style=" font-size:12pt"> <br>
<br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
I am getting e.g. messages like</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br>
"MESSAGE": "UIMUC4Maintenance.py: \"== deactivate_uc4_monitoring
= ENDE ==\"",</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br>
(thats out of an JSON-formatted syslog-ng output),</span><span style=" font-size:12pt">
<br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
What I would like to do is, to extract the 'UIMUC4Maintenance.py:' and
put it into a SDATA-Custom-Variable or PROG but based on a regex</span><span style=" font-size:12pt">
<br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
so some sort of rewrite-rule like (no not a correct syntax, only to describe
it)</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br>
rewrite r_fill_program {</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br>
set(match("^\w*\.py:" value("MESSAGE")) value("PROG"));</span><span style=" font-size:12pt">
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
};</span><span style=" font-size:12pt"> <br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
As far as I understand it, set requires a "string" as first parameter,
I could use a lots of rewrites with a condition, but I am in "lack
of a static string", this should be some sort of variable :-)</span><span style=" font-size:12pt">
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
or I could do that static with a filter for every "^\w*\.py:"-Text,
but I hope I could do that dynamic, every time a match of my regex syslog-ng
inserts that part into a variable and so on...</span><span style=" font-size:12pt">
<br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
Is that possible?</span><span style=" font-size:12pt"> <br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
cheers</span><span style=" font-size:12pt"> </span><span style=" font-size:10pt;font-family:sans-serif"><br>
Matthias</span><span style=" font-size:12pt"> <br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
------------------------------------------------------------------------------------<br>
METZLER <br>
Informationstechnologie<br>
<br>
Matthias Gruber <br>
IT-Infrastruktur & -Betrieb<br>
<br>
B. Metzler seel. Sohn & Co.<br>
Aktiengesellschaft<br>
Untermainanlage 1<br>
60329 Frankfurt am Main<br>
Telefon (0 69) 21 04 - 43 30<br>
Telefax (0 69) 21 04 - 40 40</span><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u><br>
</u></span><a href=mailto:MGruber@metzler.com target=_blank><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>MGruber@metzler.com</u></span></a><span style=" font-size:12pt;color:blue"><u><br>
</u></span><a href=http://www.metzler.com/ target=_blank><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>www.metzler.com</u></span></a><span style=" font-size:12pt">
<br>
<br>
</span><span style=" font-size:10pt;font-family:Arial"><br>
Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu<br>
Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking<br>
Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365</span><span style=" font-size:12pt"><br>
</span><span style=" font-size:10pt;font-family:Arial"><br>
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger
sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen
und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt
weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit
der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern
können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine
Haftung hierfür wird ausgeschlossen.<br>
This message is confidential. If you are not the intended recipient, we
kindly ask you to inform the sender and delete the information. Any unauthorised
dissemination or copying hereof is prohibited. As we cannot guarantee or
assure the genuineness or completeness of the information contained in
this message, the statements set forth above are not legally binding. Accordingly
we cannot accept any liability for their contents.</span><span style=" font-size:12pt">
______________________________________________________________________________<br>
Member info: </span><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target=_blank><span style=" font-size:12pt;color:blue"><u>https://lists.balabit.hu/mailman/listinfo/syslog-ng</u></span></a><span style=" font-size:12pt"><br>
Documentation: </span><a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target=_blank><span style=" font-size:12pt;color:blue"><u>http://www.balabit.com/support/documentation/?product=syslog-ng</u></span></a><span style=" font-size:12pt"><br>
FAQ: </span><a href="http://www.balabit.com/wiki/syslog-ng-faq" target=_blank><span style=" font-size:12pt;color:blue"><u>http://www.balabit.com/wiki/syslog-ng-faq</u></span></a><span style=" font-size:12pt"><br>
</span><tt><span style=" font-size:10pt">______________________________________________________________________________<br>
Member info: </span></tt><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"><tt><span style=" font-size:10pt">https://lists.balabit.hu/mailman/listinfo/syslog-ng</span></tt></a><tt><span style=" font-size:10pt"><br>
Documentation: </span></tt><a href="http://www.balabit.com/support/documentation/?product=syslog-ng"><tt><span style=" font-size:10pt">http://www.balabit.com/support/documentation/?product=syslog-ng</span></tt></a><tt><span style=" font-size:10pt"><br>
FAQ: </span></tt><a href="http://www.balabit.com/wiki/syslog-ng-faq"><tt><span style=" font-size:10pt">http://www.balabit.com/wiki/syslog-ng-faq</span></tt></a><tt><span style=" font-size:10pt"><br>
<br>
</span></tt>
<br>
<br>
<br><font size="2" face="Arial"><font size="2" face="Arial"> </font></font><br>
<br>
<font size="2" face="Arial">Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu</font><br>
<font size="2" face="Arial">Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking</font><br>
<font size="2" face="Arial">Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. </font><font size="2" face="Arial">HRB 123 365</font><br>
<br>
<font size="2" face="Arial"><font size="2" face="Arial">Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen.</font></font><br>
<font size="2" face="Arial"><font size="2" face="Arial">This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee or assure the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly we cannot accept any liability for their contents.</font></font>