Hi, I dont know your Message format, but for me it seems that the auth.info is the PRE (facility + priority) part and not the message part. how does your log template look like? if you havent defined one its maybe the default one which is timestamp, msghdr, msg. so you may succeed whith your rewrite if you apply it to MSGHDR macro instead of MESSAGE? hope it helps, regards, Tom Zitat von "Balla, Hithendra (EXT-Other - IN/Bangalore)" <hithendra.balla.ext@nsn.com>:

Can somebody help here on this issue?

_____________________________________________ From: Balla, Hithendra (EXT-Other - IN/Bangalore) Sent: Friday, June 15, 2012 9:09 AM To: 'Syslog-ng users' and developers' mailing list' Subject: issue with rewrite. Please help.

Hi all,

We have the following log

2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 [ID 800047 auth.info] Accepted publickey for xyz

We wanted to replace [ID 800047 auth.info] with empty string (i.e. "") and print the following

2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 Accepted publickey for xyz

So we have used the below re-write with subst. But this is not working in syslog-ng 3.4.0alpha2.

rewrite rw_msg{subst("\\[.*\\]", "", value("MESSAGE"));};

Can somebody help out here?

Thanks Hithendra

---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.