Thanks Gergely,
I was trying to replace myhostname with the IP (removing the "Original Host=$IP" part of the message would be optional).
I thought it would have to be done using something like patterndb, but wasn't sure.
I'll try to read up and figure out how to do it, as my patterndb experience is a bit lacking still :-)


______________________________________________________________

Clayton Dukes
______________________________________________________________


On Wed, Nov 14, 2012 at 5:26 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Clayton Dukes <cdukes@gmail.com> writes:

> Hi Folks,
> How can I extract a hostname from the message and replace the source ip
> with that name/ip address?
>
> Sample message:
> Nov 13 18:11:00 myhostname mymessage: Original
> Host=192.168.6.3:LOW_THRESHOLD_EVENT
> - 0 AUTHORIZED sessions
>
> So, I need a rewrite rule(?) to take 192.168.6.3 and replace $HOST with it:
> Nov 13 18:11:00 92.168.6.3 mymessage:LOW_THRESHOLD_EVENT - 0
> AUTHORIZED sessions

Do you want to replace 'myhostname' with the IP, or the IP with
myhostname?

If you want to replace myhostname with the IP, and remove the "Original
Host=$IP" part of the message, you will need to pick out the IP from the
message part (either with patterndb, or some other way), then create a
rewrite rule that removes it from $MESSAGE. Then, on the destination
side, I'd use a template to re-assemble the thing, replacing $HOST with
the extracted IP address.

If you want to replace the IP with the hostname, that's a little bit
easier:

rewrite r_subst_ip {
 subst("Original Host=[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*", "$HOST",
       value("MESSAGE"));
};

--
|8]