[syslog-ng] [patch] Add filters to strip unwanted data from
incoming syslog messages.
William Pitcock
nenolod at sacredspiral.co.uk
Mon Jul 9 17:40:47 CEST 2007
On Mon, 9 Jul 2007, Valdis.Kletnieks at vt.edu wrote:
> +############################################################
> +## generic filters
> +
> +filter f_strip { strip(ips); };
>
> It *appears* that this is the only place this .conf file does anything with the
> new feature. As such, it took me a long time to *find* it in there. Oh, and
> three references in the d_postfix, d_sympa, and d_courier segments. It would
> be a lot clearer if instead of a complete .conf file, you provided a very
> minimalist example of how to use it (10-20 lines at most).
>
> + This patch has been tested against the following versions of syslog-ng:
> + . version 1.6.7
> + . Debian package syslog-ng_1.6.7-2
>
> Does this need updating? Your diff appears to actually be against 2.0.4.
For what it's worth, I didn't write the README, I just redid the code part
for 2.0.4. Do whatever you want with the readme, I only included it because
the initial patch we had came with it. As did the config example.
> Also, if you're going to all the trouble of creating a filter_replace_new
> and filter_replace_eval, it might not be bad at all if you were to make
> a more generalized feature out of it so that sites can use it to do more
> than just IP addresses. For instance, a site might need to do something like
>
> filter f_userpass { replace("user=.* pass=.* ", "user=MASKED pass=MASKED"); }
>
> or some such. That's a *lot* more 'personal identifying' than just an IP
> address.
The patch I provided provides a replace feature like what you say.
To use the replace feature my patch provides, you do something like:
filter f_userpass { replace("user=[.*] pass=[.*]", "user=MASKED pass=MASKED"); }
It works exactly as you describe.
- William
More information about the syslog-ng
mailing list