-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, my version is from madhouse and installed via apt-get... syslog-ng -V syslog-ng 3.3.3 Installer-Version: 3.3.3 Revision: Debian/3.3.3.dfsg-1~mhp0~squeeze Compile-Date: Nov 18 2011 15:37:57 thank you, regards, Tom On 30.11.2011 21:31, Martin Holste wrote:
There was a bugfix recently to address conditional rewrite problems in the 3.3 branch, what revision are you on?
On Wed, Nov 30, 2011 at 2:07 PM, Thomas Wollner <tw@wollner-net.de> wrote: Martin,
thanks for your suggestions. I just checked the new pattern, but the rewrite would not happen, too. I dont think that the pattern is the cause of the problem, because if I employ just the filter as an filter inside a logstatement, I receive cisco messages only in the destination. So the pattern matches. But no rewrite happens so far.
My config is:
destination d_mydestination_rewritten { file("/var/log/mylog-rewritten.log"); };
destination d_mydestination_raw { file("/var/log/mylog-raw.log"); };
destination d_mydestination_justcisco { file("/var/log/mylog-justcisco.log"); };
filter f_rewrite_cisco_program { match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); };
rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
log { source(s_src); rewrite(r_cisco_program); destination(d_mydestination_rewritten); };
log { source(s_src); filter(f_rewrite_cisco_program); destination(d_mydestination_justcisco); };
log { source(s_src); destination(d_mydestination_raw); };
The resulting logfiles: grep SYS-5-CONFIG /var/log/mylog-* /var/log/mylog-justcisco.log:Nov 30 19:59:10 192.168.111.10 2333: Nov 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on vty0 (192.168.1.2) /var/log/mylog-raw.log:Nov 30 19:59:10 192.168.111.10 2333: Nov 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on vty0 (192.168.1.2) /var/log/mylog-rewritten.log:Nov 30 19:59:10 192.168.111.10 2333: Nov 30 19:59:09.609: %SYS-5-CONFIG_I: Configured from console by tom on vty0 (192.168.1.2)
So something must be wrong using the rewrite or the rewrite rule himself...
Any ideas, further suggestions?
Thanks in advance,
Tom
On 30.11.2011 20:20, Martin Holste wrote:
That was mine, and I think there's a couple mistakes in it because there appears to a be a missing parenthesis and a plus sign. Try this:
match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner <tw@wollner-net.de> wrote:
Hello List,
I try to rewrite cisco IOS syslog messages with timestamps in the MESSAGE field. I want to remove the timestamp from the message and set the program to the so called mnemonic of the message..
I found the following example on the list:
... filter f_rewrite_cisco_program { match('%([^:]: ([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); };
rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
log { source(s_all); rewrite(r_cisco_program); destination(d_mydestination); };
But that does not work. I tried a lot of different rewrite syntaxes, none of them work for me. If I just employ the filter f_rewrite_cisco_program I` am able to filter out the cisco messages.
Sample log line (written with template $R_ISODATE $HOST $MSG):
2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
I`m using syslog-ng 3.3.3 debian package from madhouse.
How I can rewrite my messages to filter the timestamp in the message field? any ideas?
Any help is higly welcome, thanks in advance,
Tom
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFO1quATCCRT+dccOYRAvC/AJ0V7sPbuv8bLlJB0QSXonssP9EevgCg4cXB GXV4gVR2A2EqDMjdJRPh6pQ= =8x3r -----END PGP SIGNATURE-----