Doing a regex substitution in syslog-ng
Hey guys, I'm trying to make a syslog-ng solution to recieve logs from some custom java apps that output syslog data, but I have an issue. Our programmers have already defined a format for their messages, and our log parsers expect this format. I can pass the data around syslog systems, but at the destination file, I need to strip off the syslog headers to leave me with the raw message that was came out of the ajva app. I was hoping that I could do something akin to a filter that did a regex substitution to modify the message to make it look pretty. Is this possible, and if not, is there any other way of pulling this off? Thanks Donavan Pantke
On Mon, Jun 10, 2002 at 09:20:43PM -0400, Donavan Pantke wrote:
Hey guys, I'm trying to make a syslog-ng solution to recieve logs from some custom java apps that output syslog data, but I have an issue. Our programmers have already defined a format for their messages, and our log parsers expect this format. I can pass the data around syslog systems, but at the destination file, I need to strip off the syslog headers to leave me with the raw message that was came out of the ajva app. I was hoping that I could do something akin to a filter that did a regex substitution to modify the message to make it look pretty. Is this possible, and if not, is there any other way of pulling this off?
If all you want is to lose what syslog added: destination d_template_test { file("/var/log/java.log" template("$MSG\n")); }; log { source(src); destination(d_template_test); }; I'd imaging this will take care of you. IIRC, you need a devel branch to use templates. -- "Plonk /excl./: The sound a newbie makes as he falls to the bottom of a kill file." - From the Jargon File.
On Mon, Jun 10, 2002 at 07:40:55PM -0700, Nate Campi wrote:
On Mon, Jun 10, 2002 at 09:20:43PM -0400, Donavan Pantke wrote:
the raw message that was came out of the ajva app. I was hoping that I could do something akin to a filter that did a regex substitution to modify the message to make it look pretty. Is this possible, and if not, is there any other way of pulling this off?
If all you want is to lose what syslog added:
destination d_template_test { file("/var/log/java.log" template("$MSG\n")); }; log { source(src); destination(d_template_test); };
I'd imaging this will take care of you. IIRC, you need a devel branch to use templates.
You will be stuck with the TAG field (program name) if it's added as part of the message (by logger perhaps). The program name is merely a convention added to the beginning of a message, and IIRC syslog-ng faithfully give you the whole message when you ask for it in a template like this. -- Programming /n./ 1. The art of debugging an empty file. 2. A pastime similar to banging one's head against a wall, but with fewer opportunities for reward. 3. The most fun you can have with your clothes on (although clothes are not mandatory). - From the Jargon File.
participants (2)
-
Donavan Pantke
-
Nate Campi