Hello, is there a way to process more than the $MSG macro with a syslog-ng parse filter? We are forwarding our syslogs via rsyslog in this format (client config): $template tmpl_forward,"%hostname% %syslogtag% \"%msg%\"\n" *.* @@syslog:514;tmpl_forward I have created the following parser rule in syslog-ng: parser p_INTERNAL { csv-parser(columns("INTERNAL.TIME_LOGGED", "INTERNAL.TIME_RECEIVED", "INTERNAL.RELAY_HOST", "INTERNAL.LOGGING_HOST", "INTERNAL.PROGRAM", "INTERNAL.MESSAGE") flags(escape-double-char,strip-whitespace) delimiters(" ") quote-pairs('""[]') ); }; I want to create the logfile in this format: destination d_intern2 { file("/log-local/__OPS__/$YEAR-$MONTH/xxx-${INTERN.LOGGING_HOST}.log" ); }; Unfortunately, syslog-ng does not fill up the $MSG macro with the hole content provided by the client via "%hostname% %syslogtag% \"%msg%\"\n". So it's not possible to fill (parse) the desired 'INTERNAL.LOGGING_HOST' variable. How could i achieve, to, get the content of %hostname% (sent by rsyslog) into the 'INTERNAL.LOGGING_HOST' variable of syslog-ng? Thank you! Thomas
"Thomas" == Thomas Straubinger <thomas.straubinger@nic.at> writes:
Thomas> Hello, Thomas> is there a way to process more than the $MSG macro with a Thomas> syslog-ng parse filter? You can use the template() setting within the parser... Thomas> We are forwarding our syslogs via rsyslog in this format (client config): Thomas> $template tmpl_forward,"%hostname% %syslogtag% \"%msg%\"\n" Thomas> *.* @@syslog:514;tmpl_forward ...though in this case, I would recommend using flags(no-parse) in the source that consumes these messages. Then $MSG will contain the whole line, and you are free to parse it in whatever way you wish. (Though, to parse the date part, properly, you may need a very recent syslog-ng) -- |8]
Thanks Gergely, works fine! :-) -----Ursprüngliche Nachricht----- Von: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Gergely Nagy Gesendet: Mittwoch, 11. März 2015 11:43 An: syslog-ng@lists.balabit.hu Betreff: Re: [syslog-ng] Parsing more than MSG macro
"Thomas" == Thomas Straubinger <thomas.straubinger@nic.at> writes:
Thomas> Hello, Thomas> is there a way to process more than the $MSG macro with a Thomas> syslog-ng parse filter? You can use the template() setting within the parser... Thomas> We are forwarding our syslogs via rsyslog in this format (client config): Thomas> $template tmpl_forward,"%hostname% %syslogtag% \"%msg%\"\n" Thomas> *.* @@syslog:514;tmpl_forward ...though in this case, I would recommend using flags(no-parse) in the source that consumes these messages. Then $MSG will contain the whole line, and you are free to parse it in whatever way you wish. (Though, to parse the date part, properly, you may need a very recent syslog-ng) -- |8] ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Gergely Nagy
-
Thomas Straubinger