Clayton Dukes <cdukes@gmail.com> writes:
Hi Folks, How can I extract a hostname from the message and replace the source ip with that name/ip address?
Sample message: Nov 13 18:11:00 myhostname mymessage: Original Host=192.168.6.3:LOW_THRESHOLD_EVENT - 0 AUTHORIZED sessions
So, I need a rewrite rule(?) to take 192.168.6.3 and replace $HOST with it: Nov 13 18:11:00 92.168.6.3 mymessage:LOW_THRESHOLD_EVENT - 0 AUTHORIZED sessions
Do you want to replace 'myhostname' with the IP, or the IP with myhostname? If you want to replace myhostname with the IP, and remove the "Original Host=$IP" part of the message, you will need to pick out the IP from the message part (either with patterndb, or some other way), then create a rewrite rule that removes it from $MESSAGE. Then, on the destination side, I'd use a template to re-assemble the thing, replacing $HOST with the extracted IP address. If you want to replace the IP with the hostname, that's a little bit easier: rewrite r_subst_ip { subst("Original Host=[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*", "$HOST", value("MESSAGE")); }; -- |8]