Yeah, that's a good call. My original, more specific filter was this: filter f_rewrite_cisco_program { match('^(%(?:ASA|PIX|FWSM)\-\d\-\d{6}): ([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); }; You're probably best off filtering by host IP, because adding in more to the regex to make it more specific could mean missing Cisco messages with non-standard timestamps, etc. On Wed, Nov 30, 2011 at 1:23 PM, Patrick H. <syslogng@feystorm.net> wrote:
Should probably throw something in there to make that match a little less ambiguous (so it doesnt match just anything with a % and : in it).
Sent: Wed Nov 30 2011 12:20:03 GMT-0700 (MST) From: Martin Holste <mcholste@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages
That was mine, and I think there's a couple mistakes in it because there appears to a be a missing parenthesis and a plus sign. Try this:
match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner <tw@wollner-net.de> wrote:
Hello List,
I try to rewrite cisco IOS syslog messages with timestamps in the MESSAGE field. I want to remove the timestamp from the message and set the program to the so called mnemonic of the message..
I found the following example on the list:
... filter f_rewrite_cisco_program { match('%([^:]: ([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); };
rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
log { source(s_all); rewrite(r_cisco_program); destination(d_mydestination); };
But that does not work. I tried a lot of different rewrite syntaxes, none of them work for me. If I just employ the filter f_rewrite_cisco_program I` am able to filter out the cisco messages.
Sample log line (written with template $R_ISODATE $HOST $MSG):
2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
I`m using syslog-ng 3.3.3 debian package from madhouse.
How I can rewrite my messages to filter the timestamp in the message field? any ideas?
Any help is higly welcome, thanks in advance,
Tom
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq