Hi Balint and all, Can you guide us here on what might be the issue ? Thanks Hithendra -----Original Message----- From: Balla, Hithendra (EXT-Other - IN/Bangalore) Sent: Monday, June 18, 2012 6:53 PM To: 'Syslog-ng users' and developers' mailing list' Subject: RE: [syslog-ng] issue with rewrite. Please help. Hi Balint, Thanks for the reply. I tried the below rewrite rewrite r_solaris { subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE") type("pcre") flags(dont-store-matches)); }; It works for auth.info, but it does not work with local7.info or local6.info as the regex does not handle numerals in the facility field. I tried changing it as follows (i.e. added [0-9] before .)., but with this, this dumps core. Addition of any numeral in this position results in a core dump subst("\[ID [0-9]* [a-z]*[0-9]\.[a-z]*\]\ " "" value("MESSAGE") We have tried the following. logger -p local7.info "HELLO|KUAAA" --> Did not work logger -p local6.info "HELLO|KUAAA" --> Did not work logger -p auth.info "Accepted password for root" --> Worked. Thanks Hithendra -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu on behalf of ext Balint Kovacs Sent: Fri 6/15/2012 10:26 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] issue with rewrite. Please help. Hi Hithendra, I came across this problem just recently, I guess that you want to handle Solaris logs with the standard Unix analysis ruleset, but the these tags are in the way. The only difference is, that I moved the tag to the end of the message (as patterndb does prefix matching, these don't bother my patterns but are still there). My rewrite rule is the following: rewrite r_solaris { #move the solaris header to the end of the message #to work with linux patterndb subst("(\[ID [0-9]* [a-z]*\.[a-z]*\])\ " "" value("MESSAGE") type("pcre") flags(store-matches)); subst("$" " $1" value("MESSAGE") type("pcre")); }; If you don't want to move it (backreferencing is quite slow and resource-intensive), you could just use this untested version: rewrite r_solaris { subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE") type("pcre") flags(dont-store-matches)); }; HTH, Balint On 06/15/2012 05:39 AM, Balla, Hithendra (EXT-Other - IN/Bangalore) wrote:

Hi all,

We have the followinglog

2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6*[ID 800047 auth.info]*Accepted publickey for xyz

We wanted to replace*[ID 800047 auth.info]*with*empty string*(i.e."")and print the following

2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 Accepted publickey for xyz

So we have used the below re-write with subst. But this is not workingin*syslog-ng 3.4.0alpha2*.

rewrite rw_msg{*subst*("\\[.*\\]", "", value("MESSAGE"));};

Can somebody help out here?

Thanks

Hithendra

________________________________________________________________________ ______

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq