On Fri, 2009-06-26 at 10:14 +0200, Henk van Lingen wrote:
Hi,
Is is possible to change the message text before it is inserted into a database?
I have syslog-ng-3.0.2 running and it does insert the messages directly into a PostgreSQL database, using the new sql(type(pgsql) destination feature.
The problem is I have lots of cisco firewall loggings, and in the database I have of gin index for doing full text searching. For this index, the database decomposes the message into tokens. I want to be able to search on IP-numbers. However, in lines like
world/123.456.192.46(0) -> some-fwsm/123.456.221.121(0)
this won't work because the tokens are world/123.456.192.46 and /123.456.192.46, not 123.456.192.46.
To solve the prob it would be nice if there is a way to replace the slashes with spaces before the message goes to the database.
You could perhaps be interested in the new db-parser() feature, see the related blog posts about that. To simply replace '/' with ' ' is quite easy: rewrite r_replace_slashes { subst(' ', '/' flags(global)); }; -- Bazsi