On Thu, 2010-08-26 at 17:50 -0700, Matthew Hall wrote:
Hello all,
I am trying to make a combination of a template and a rewrite rule to write my messages into an extension of WELF format to make them easier to process downstream (the entire point of patterndb I guess).
The template part was trivial and works perfectly. I just used some regex hacking to extract all 45 variable names I used in my patterndbs, then used gawk to dump them out into a giant (escaped) string like this, and pasted it to the config file.
template("var1=\"$var1\" var2=\"$var2\" ...\n");
One minor thing: Currently I am forced to expand varfoo="$varfoo" even if the value of $varfoo is empty because a particular message did not contain "$varfoo".
I suspect I could fix this by writing a C plugin which checks the length before expanding but I wondered if there were an easier way.
Else maybe we could make this WELF output techniquie available for everybody because I think the problem could be very common. In any case I can always make the downstream ignore empty expansions for now.
It'd make sense to create a template function for this. I have some pending patches stuffed somewhere which implements $(function ...) to be used in templates. I'm trying to dig that out so you could simply use: template("$(format-welf-values)"); Adding plugins into the mixture (the patch is for pre-plugins syslog-ng) would allow to add plugins implementing template functions.
The only problem: I want one field at the end of the message to be named 'raw' and contain a double-quote-escaped copy of the raw message. That way if the message contains double quote characters it won't break a parser because they will be escaped right.
Here is how I thought of doing this after reading the manual:
rewrite r_add_raw { subst("\"", "\\\"", value("$MSGHDR$MSG"), flags("global")), value("raw")); }
you cannot nest rewrite statements, but you can call multiple rewrite expressions: rewrite r_add_raw { set("$MSGHDR$MSG" value("raw")); subst("\"", "\\\"" value("raw")); }; but again the template function would apply again (not there yet though): set("$(escape-quotes $MSGHDR$MSG)" value("raw"));
However I am getting hit with this syntax error:
WARNING: Your configuration uses a newly introduced reserved word as identifier, please use a different name; keyword='subst', filename='welf.conf', line='2'
Apparently I did it wrong, or there is a reason I can't call set on my raw variable to set the raw variable to the double quote escaped string subst'ed from input message in $MSGHDR$MSG. I really hope somebody can comment about how to fix it so that double quotes in the input won't blow things up.
For now I worked around it temporarily just to get up and running by adding raw=\"$MSGHDR$MSG\" to the end of my template just to see if it would work OK and it does work OK when you don't have double quotes in there.
Hope this helps. -- Bazsi