Dynamic setting value out of message?
Hi! I hope it is simple and my thoughts and seeks about it were to complicated :-), simply I didnt know how to do that, perhaps someone has a clue for me I am getting e.g. messages like "MESSAGE": "UIMUC4Maintenance.py: \"== deactivate_uc4_monitoring = ENDE ==\"", (thats out of an JSON-formatted syslog-ng output), What I would like to do is, to extract the 'UIMUC4Maintenance.py:' and put it into a SDATA-Custom-Variable or PROG but based on a regex so some sort of rewrite-rule like (no not a correct syntax, only to describe it) rewrite r_fill_program { set(match("^\w*\.py:" value("MESSAGE")) value("PROG")); }; As far as I understand it, set requires a "string" as first parameter, I could use a lots of rewrites with a condition, but I am in "lack of a static string", this should be some sort of variable :-) or I could do that static with a filter for every "^\w*\.py:"-Text, but I hope I could do that dynamic, every time a match of my regex syslog-ng inserts that part into a variable and so on... Is that possible? cheers Matthias ------------------------------------------------------------------------------------ METZLER Informationstechnologie Matthias Gruber IT-Infrastruktur & -Betrieb B. Metzler seel. Sohn & Co. Aktiengesellschaft Untermainanlage 1 60329 Frankfurt am Main Telefon (0 69) 21 04 - 43 30 Telefax (0 69) 21 04 - 40 40 MGruber@metzler.com www.metzler.com Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee or assure the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly we cannot accept any liability for their contents.
Hi Matthias, May I ask, is the key 'MESSAGE' fix and the value is changing between messages? For that you could parse the incoming json with json-parser() and store the parsed key-values, then you can easily set the desired SDATA field with a rewrite rule. Alternatively, you can set the "store-matches" flag for filters and use the matching groups in a follow-up rewrite rule. Regards, Gábor On Tue, 29 Jun 2021, 10:42 Matthias Gruber, <MGruber@metzler.com> wrote:
Hi!
I hope it is simple and my thoughts and seeks about it were to complicated :-), simply I didnt know how to do that, perhaps someone has a clue for me
I am getting e.g. messages like "MESSAGE": "UIMUC4Maintenance.py: \"== deactivate_uc4_monitoring = ENDE ==\"", (thats out of an JSON-formatted syslog-ng output),
What I would like to do is, to extract the 'UIMUC4Maintenance.py:' and put it into a SDATA-Custom-Variable or PROG but based on a regex
so some sort of rewrite-rule like (no not a correct syntax, only to describe it) rewrite r_fill_program { set(match("^\w*\.py:" value("MESSAGE")) value("PROG")); };
As far as I understand it, set requires a "string" as first parameter, I could use a lots of rewrites with a condition, but I am in "lack of a static string", this should be some sort of variable :-) or I could do that static with a filter for every "^\w*\.py:"-Text, but I hope I could do that dynamic, every time a match of my regex syslog-ng inserts that part into a variable and so on...
Is that possible?
cheers Matthias
------------------------------------------------------------------------------------ METZLER Informationstechnologie
Matthias Gruber IT-Infrastruktur & -Betrieb
B. Metzler seel. Sohn & Co. Aktiengesellschaft Untermainanlage 1 60329 Frankfurt am Main Telefon (0 69) 21 04 - 43 30 Telefax (0 69) 21 04 - 40 40 MGruber@metzler.com www.metzler.com
Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee or assure the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly we cannot accept any liability for their contents. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi! Gábor No the "first Word" of the Message is the interessting part, which I would like to "store" or use for further decissions e.g.the MESSAGE could be UIMUC4Maintenance.py: == deactivate_uc4_monitoring = ENDE == or SomeOther.py: Exception at move ... and so on My goal is to put it in a destination like /var/log/Scripts/UIMUC4Maintenance.py.output or /var/log/Scripts/SomeOther.py.output in a dynamic way,so that I dont have to build static filters for every Script Like I do this with $HOST :-) Thanks for your time Cheers Matthias ------------------------------------------------------------------------------------ METZLER Informationstechnologie Matthias Gruber IT-Infrastruktur & -Betrieb B. Metzler seel. Sohn & Co. Aktiengesellschaft Untermainanlage 1 60329 Frankfurt am Main Telefon (0 69) 21 04 - 43 30 Telefax (0 69) 21 04 - 40 40 MGruber@metzler.com www.metzler.com Von: "Nagy Gábor" <gabor.hl@gmail.com> An: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Datum: 30.06.2021 17:24 Betreff: Re: [syslog-ng] Dynamic setting value out of message? Gesendet von: "syslog-ng" <syslog-ng-bounces@lists.balabit.hu> Hi Matthias, May I ask, is the key 'MESSAGE' fix and the value is changing between messages? For that you could parse the incoming json with json-parser() and store the parsed key-values, then you can easily set the desired SDATA field with a rewrite rule. Alternatively, you can set the "store-matches" flag for filters and use the matching groups in a follow-up rewrite rule. Regards, Gábor On Tue, 29 Jun 2021, 10:42 Matthias Gruber, <MGruber@metzler.com> wrote: Hi! I hope it is simple and my thoughts and seeks about it were to complicated :-), simply I didnt know how to do that, perhaps someone has a clue for me I am getting e.g. messages like "MESSAGE": "UIMUC4Maintenance.py: \"== deactivate_uc4_monitoring = ENDE ==\"", (thats out of an JSON-formatted syslog-ng output), What I would like to do is, to extract the 'UIMUC4Maintenance.py:' and put it into a SDATA-Custom-Variable or PROG but based on a regex so some sort of rewrite-rule like (no not a correct syntax, only to describe it) rewrite r_fill_program { set(match("^\w*\.py:" value("MESSAGE")) value("PROG")); }; As far as I understand it, set requires a "string" as first parameter, I could use a lots of rewrites with a condition, but I am in "lack of a static string", this should be some sort of variable :-) or I could do that static with a filter for every "^\w*\.py:"-Text, but I hope I could do that dynamic, every time a match of my regex syslog-ng inserts that part into a variable and so on... Is that possible? cheers Matthias ------------------------------------------------------------------------------------ METZLER Informationstechnologie Matthias Gruber IT-Infrastruktur & -Betrieb B. Metzler seel. Sohn & Co. Aktiengesellschaft Untermainanlage 1 60329 Frankfurt am Main Telefon (0 69) 21 04 - 43 30 Telefax (0 69) 21 04 - 40 40 MGruber@metzler.com www.metzler.com Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee or assure the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly we cannot accept any liability for their contents. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee or assure the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly we cannot accept any liability for their contents.
Hi, On Thu, Jul 01, 2021 at 07:31:20AM +0200, Matthias Gruber wrote:
No the "first Word" of the Message is the interessting part, which I would like to "store" or use for further decissions e.g.the MESSAGE could be
Then the store-matches Gábor suggested is the most sensible way to do it.
Hi! Thanks a lot.... thats is what I was seeking for, didnt expect it in the "regular-expression"-Part of the Documentation :-), as told my thought was too complicated Cheers Matthias ------------------------------------------------------------------------------------ METZLER Informationstechnologie Matthias Gruber IT-Infrastruktur & -Betrieb B. Metzler seel. Sohn & Co. Aktiengesellschaft Untermainanlage 1 60329 Frankfurt am Main Telefon (0 69) 21 04 - 43 30 Telefax (0 69) 21 04 - 40 40 MGruber@metzler.com www.metzler.com Von: "Fabien Wernli" <wernli@in2p3.fr> An: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Datum: 01.07.2021 09:24 Betreff: Re: [syslog-ng] Antwort: Re: Dynamic setting value out of message? Gesendet von: "syslog-ng" <syslog-ng-bounces@lists.balabit.hu> Hi, On Thu, Jul 01, 2021 at 07:31:20AM +0200, Matthias Gruber wrote:
No the "first Word" of the Message is the interessting part, which I would like to "store" or use for further decissions e.g.the MESSAGE could be
Then the store-matches Gábor suggested is the most sensible way to do it. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren oder zusichern können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee or assure the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly we cannot accept any liability for their contents.
participants (3)
-
Fabien Wernli
-
Matthias Gruber
-
Nagy Gábor