Apologies to those of you who have already seen this on the ELSA list. I want to get rid of the explanatory essay that accompanies some eventlog messages from windows. I tried this: rewrite r_snarex { subst("\s+This event is generated when[^|]+\|", "|", value("MSGONLY") type("pcre")); }; and added it to log section, but it did not work. I have tried various variations on the theme too. Russell
I got this going with: rewrite r_snarex { subst("\s+This event is generated when.+", "", value("MSGONLY") type("pcre"));}; Does this mean that my syslog_ng does not support pcre? Russell On 11/05/2013, at 2:29 PM, Russell Fulton <r.fulton@auckland.ac.nz> wrote:
Apologies to those of you who have already seen this on the ELSA list.
I want to get rid of the explanatory essay that accompanies some eventlog messages from windows.
I tried this:
rewrite r_snarex { subst("\s+This event is generated when[^|]+\|", "|", value("MSGONLY") type("pcre")); };
and added it to log section, but it did not work. I have tried various variations on the theme too.
Russell ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I don't know what the original message looks like that you are trying to substitute in, but I think the issue may be with the \s+ you could try \s* in case there is not any whitespace at the beginning. Also since pcre is greedy by default the \| is not necessary. The [^|]+ (which should probably be [^|]* in case the | follows immediately) will by definition be followed by a | or the end of line. Evan Rempel 250.271.7691 University Systems, University of Victoria Russell Fulton <r.fulton@auckland.ac.nz> wrote: I got this going with: rewrite r_snarex { subst("\s+This event is generated when.+", "", value("MSGONLY") type("pcre"));}; Does this mean that my syslog_ng does not support pcre? Russell On 11/05/2013, at 2:29 PM, Russell Fulton <r.fulton@auckland.ac.nz> wrote:
Apologies to those of you who have already seen this on the ELSA list.
I want to get rid of the explanatory essay that accompanies some eventlog messages from windows.
I tried this:
rewrite r_snarex { subst("\s+This event is generated when[^|]+\|", "|", value("MSGONLY") type("pcre")); };
and added it to log section, but it did not work. I have tried various variations on the theme too.
Russell ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Evan Rempel
-
Russell Fulton