issue with rewrite. Please help.

Hi Hithendra,

I came across this problem just recently, I guess that you want to handle Solaris logs with the standard Unix analysis ruleset, but the these tags are in the way. The only difference is, that I moved the tag to the end of the message (as patterndb does prefix matching, these don't bother my patterns but are still there). My rewrite rule is the following:

rewrite r_solaris
{
     #move the solaris header to the end of the message
     #to work with linux patterndb
     subst("(\[ID [0-9]* [a-z]*\.[a-z]*\])\ " "" value("MESSAGE") type("pcre") flags(store-matches));
     subst("$" " $1" value("MESSAGE") type("pcre"));
};

If you don't want to move it (backreferencing is quite slow and resource-intensive), you could just use this untested version:

rewrite r_solaris
{
     subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE") type("pcre") flags(dont-store-matches));
};

HTH,
Balint

On 06/15/2012 05:39 AM, Balla, Hithendra (EXT-Other - IN/Bangalore) wrote:

issue with rewrite. Please help.
Hi all,

We have the following log

2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 [ID 800047 auth.info] Accepted publickey for xyz

We wanted to replace [ID 800047 auth.info] with empty string (i.e. “”) and print the following

2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 Accepted publickey for xyz

So we have used the below re-write with subst. But this is not working in syslog-ng 3.4.0alpha2.

rewrite rw_msg{subst("\\[.*\\]", "", value("MESSAGE"));};

Can somebody help out here?

Thanks

Hithendra
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq