Running OSE version 3.38.1 and having difficulty with a rewrite rule.

 

The logs that I’m trying to modify look like:

 

2024-09-12T06:39:31-05:00 hostname kernel: [*09/12/2024 11:39:31.9055] bwar: [7649:I:CN_ML] …

 

What I am trying to do is remove the extra timestamp in square brackets (the first field in square brackets above.)

 

My rewrite rule looks like:

 

rewrite r_bracketed_ts {

    subst( '^[.+]\s', '', type(pcre), value("MESSAGE"));

};

 

It is invoked from this log statement:

 

log {

    source(s_BSD_UDP_514);

    filter(f_something);

    rewrite(r_bracketed_ts);

    destination(d_something);

    flags(final,flow-control);

};

 

 

The problem is that the rewrite appears to do nothing; log entries come out unmodified. Am I missing something?

 

Thank you –

Jon Wilson