Looks like my last email was chopped off . Here it is again. ################ I can only assume I am not implementing this correctly. :-) But I have a parser I am trying to use so I can take a subset of the information of a message and send that subset to another receiver. This is the whole message: <13>Feb 4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00 myhostserver-http /tmp/logs/access_log Hi Mom What I want to do is send out the message as : <13>Feb 4 18:40:17 myhost syslogng: Hi Mom Notice how I dropped the middle part out.
From what I have read, the parser acts on the message body alone. Is this correct? So I set it up to look for four(4) columns of data and to be "greedy" on the last column.
I have played around with the number of columns and even used a rewrite function instead. But the Parser continues to produce empty variables. And my template just echos out my default value. Any thoughts? parser p_et_logmessage { csv-parser( #columns("ETMSG") #columns("ETMSG.ISODATE") columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE", "ETMSG.BODY") delimiters(" ") #template("${MSG}") flags(greedy) ); }; rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}', value("MESSAGE"));}; template t_et_basic_logmessage { template("${ETMSG.BODY:-nothing}\n"); template_escape(no); }; destination destination_info { tcp("host2" port(8080) template(t_et_basic_logmessage) log_disk_fifo_size(32212254720) ); }; log { source(INTAKE); parser(p_et_logmessage); destination(destination_info); }; On Mon, Feb 6, 2012 at 11:07 AM, T. A. Smooth <catdaaaady@gmail.com> wrote:
I can only assume I am not implementing this correctly. :-)
But I have a parser I am trying to use so I can take a subset of the information of a message and send that subset to another receiver. This is the whole message:
<13>Feb 4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00 myhostserver-http /tmp/logs/access_log Hi Mom
What I want to do is send out the message as :
<13>Feb 4 18:40:17 myhost syslogng: Hi Mom
Notice how I dropped the middle part out.
From what I have read, the parser acts on the message body alone. Is this correct? So I set it up to look for four(4) columns of data and to be "greedy" on the last column.
I have played around with the number of columns and even used a rewrite function instead. But the Parser continues to produce empty variables. And my template just echos out my default value.
Any thoughts?
parser p_et_logmessage { csv-parser( #columns("ETMSG") #columns("ETMSG.ISODATE") columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE", "ETMSG.BODY") delimiters(" ") #template("${MSG}") flags(greedy) ); };
rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}', value("MESSAGE"));};
template t_et_basic_logmessage { template("${ETMSG.BODY:-nothing}\n"); template_escape(no); };
destination destination_info { tcp("host2" port(8080) template(t_et_basic_logmessage) log_disk_fifo_size(32212254720) ); };
log { source(INTAKE); parser(p_et_logmessage); destination(destination_info); };
My latest Post: Givenchy Fall/Winter 2012 Collection – Runway | Highsnobiety.com Get a signature like this. CLICK HERE.