[syslog-ng] REGEX rewrites on packet body possible?

[Eli Stair]

I've got a problem with some network devices that is leading me to need to find 
some way to do regex rewriting of portions of the message body of syslog 
messages.

Problem: I've got a bunch of Foundry devices that put their hostname followed 
by a comma in the body of the message (and some that do not).  Some of these 
look like this:

{
2007-08-16:2007-08-16T09:50:16-07:00 hostname [hostname.local7.notice] 
hostname, Linecard Module 13 temperature 50.0 C degrees is normal
}

# template("$R_ISODATE $HOST [$PROGRAM.$FACILITY.$PRIORITY] $MSG\n")


As you can see from the template, the second hostname reported with the comma 
is part of the MSG body.  For reasons of properly searching/indexing this data 
I need to strip this out.  I've seen mention of a tool called 'syslog-mailer' 
that sounds like it would do the job somewhat.  Additionally, I've seen blog 
chatter about potentially adding full regex rewrite capability to syslog-ng in 
the recent past.  I can't find evidence of either of these methods however.

My first try at solving this using an external program showed that when passing 
data OUT of syslog-ng to a defined program, only the message body is sent and 
before application of a template, the other information is dropped.  Thus it's 
not possible to do processing of the whole payload externally, re-import the 
data via a socket and finish writing because the facility and HOST information 
is all gone!

I'm looking at writing a log proxy using Net::Dev::Tools::Syslog in perl to 
handle listening, rewriting if necessary, and forwarding full messages on to 
syslog-ng after.  I'd just like to know if there are any better suggestions, or 
if this has been done before successfully in another way?

Cheers, and thanks for any insight.


/eli