Just a follow-up to anyone else who needs to cope with Cisco devices being logged with an extra hostname given which shifts $HOST into $PROGRAM, you can fix the program and message using this: filter f_rewrite_cisco_program { match('^(%(?:ASA|PIX|FWSM)\-\d\-\d{6}): ([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); }; rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); }; log { rewrite(r_cisco_program); <usual log statements> }; The anchor '^' at the beginning should make performance very good. A bonus PCRE fact: [^\n]+ is much faster than .+ so I recommend using it whenever you're matching any char. Second bonus PCRE fact: PCRE 8.20RC3 compiled with sljit is 20-30% faster than older PCRE's. Note to Balabit: you guys should seriously consider a configure script flag to compile with sljit and newer PCRE's. On Wed, Oct 5, 2011 at 1:24 PM, Fekete Róbert <frobert@balabit.hu> wrote:
I guess csv parser. If you are lucky, you can rewrite the PROGRAM and MSG fields from the csv parser (not sure if it actually works, but wouldn't be surprised if it did), like:
csv_parser .... columns($PROGRAM,$MESSAGE)
Robert
On Wednesday, October 5, 2011 20:00 CEST, Martin Holste <mcholste@gmail.com> wrote:
So I have a customer who has enabled the device-id configuration directive on his FWSM, and that means that instead of this from a normal FWSM: <174>%FWSM-6-302013: Built inbound TCP... it sends this: <174>FWSMHostName %FWSM-6-30203: Built inbound TCP...
This means that the program name does not get properly parsed as syslog-ng pushes it into the msg field. If I can't convince the customer to remove the device-id setting, what's the least CPU-intensive way of coping with this so that program and msg are set correctly? ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq