I can only assume I am not implementing this correctly. :-)
But I have a parser I am trying to use so I can take a subset of the information of a message and send that subset to another receiver.
This is the whole message:
<13>Feb 4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00 myhostserver-http /tmp/logs/access_log Hi Mom
What I want to do is send out the message as :
<13>Feb 4 18:40:17 myhost syslogng: Hi Mom
Notice how I dropped the middle part out.
From what I have read, the parser acts on the message body alone. Is this correct?
So I set it up to look for four(4) columns of data and to be "greedy" on the last column.
I have played around with the number of columns and even used a rewrite function instead. But the Parser continues to produce empty variables. And my template just echos out my default value.
Any thoughts?
parser p_et_logmessage {
csv-parser(
#columns("ETMSG")
#columns("ETMSG.ISODATE")
columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE", "ETMSG.BODY")
delimiters(" ")
#template("${MSG}")
flags(greedy)
);
};
rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}', value("MESSAGE"));};
template t_et_basic_logmessage {
template("${ETMSG.BODY:-nothing}\n"); template_escape(no); };
destination destination_info {
tcp("host2" port(8080)
template(t_et_basic_logmessage)
log_disk_fifo_size(32212254720)
);
};
log {
source(INTAKE);
parser(p_et_logmessage);
destination(destination_info);
};
