Hi, I am trying to use rewrite to change a message's PRIORITY. I am able to change the HOST to "info" using: rewrite r_rewrite_set{set("info", value("HOST") condition(filter(f_logstash)));}; But, when I try setting the PRIORITY to "info", using this: rewrite r_rewrite_set{set("info", value("PRIORITY") condition(filter(f_logstash)));}; But, when I try setting the PRIORITY to "info", using this: Error parsing rewrite expression, syntax error, unexpected LL_NUMBER, expecting LL_IDENTIFIER or LL_STRING in /etc/syslog-ng/f_messages.conf at line 8, column 27:included from /etc/syslog-ng.conf line 18, column 34rewrite r_rewrite_set{set(3, value("PRIORITY") condition(filter(f_logstash)));};^ Please advise on how I can fix this. Thanks.
according to the syslog-ng administrators guide, the section "Hard vs. soft macros" the hard macros that can not be rewritten/changed are BSDTAG, CONTEXT_ID, DATE, DAY, FACILITY_NUM, FACILITY, FULLDATE, HOUR, ISODATE, LEVEL_NUM, LEVEL, MIN, MONTH_ABBREV, MONTH_NAME, MONTH, MONTH_WEEK, , PRIORITY, PRI, RCPTID, SDATA, SEC, SEQNUM, SOURCEIP, STAMP, TAG, TAGS, TZOFFSET, TZ, UNIXTIME, WEEK_DAY_ABBREV, WEEK_DAY_NAME, WEEK_DAY, WEEK, YEAR_DAY, YEAR and that includes the priority of a message. On 06/09/2017 12:10 PM, To Mitz wrote:
Hi,
I am trying to use rewrite to change a message's PRIORITY. I am able to change the HOST to "info" using:
rewrite r_rewrite_set{set("info", value("HOST") condition(filter(f_logstash)));};
But, when I try setting the PRIORITY to "info", using this:
rewrite r_rewrite_set{set("info", value("PRIORITY") condition(filter(f_logstash)));};
But, when I try setting the PRIORITY to "info", using this:
Error parsing rewrite expression, syntax error, unexpected LL_NUMBER, expecting LL_IDENTIFIER or LL_STRING in /etc/syslog-ng/f_messages.conf at line 8, column 27: included from /etc/syslog-ng.conf line 18, column 34 rewrite r_rewrite_set{set(3, value("PRIORITY") condition(filter(f_logstash)));}; ^
Please advise on how I can fix this.
Thanks.
There's no mechanism to change the priority or facility of a message as of now. If can be worked around by rewriting the syslog header before parsing or on output. The syntax error itself is caused by the fact the fact that the number three in the set () operation is not quoted. On Jun 9, 2017 21:14, "To Mitz" <atm613@yahoo.com> wrote:
Hi,
I am trying to use rewrite to change a message's PRIORITY. I am able to change the HOST to "info" using:
rewrite r_rewrite_set{set("info", value("HOST") condition(filter(f_logstash)));};
But, when I try setting the PRIORITY to "info", using this:
rewrite r_rewrite_set{set("info", value("PRIORITY") condition(filter(f_logstash)));};
But, when I try setting the PRIORITY to "info", using this:
Error parsing rewrite expression, syntax error, unexpected LL_NUMBER, expecting LL_IDENTIFIER or LL_STRING in /etc/syslog-ng/f_messages.conf at line 8, column 27: included from /etc/syslog-ng.conf line 18, column 34 rewrite r_rewrite_set{set(3, value("PRIORITY") condition(filter(f_logstash)));}; ^
Please advise on how I can fix this.
Thanks.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Evan Rempel
-
Scheidler, Balázs
-
To Mitz