[syslog-ng] rewriteable fields
chris packham
chris.packham at alliedtelesis.co.nz
Mon Apr 27 06:54:28 CEST 2009
Hi List,
Just looking for a bit of clarification on exactly what fields I can
rewrite in a message.
Basically I've got an annoying debug message coming out of a program and
while I could filter it off to a separate file, what I really want to do
is drop its level to debug (from warning) and let my existing filters
take care of it.
The docs say "Setting a field can operate on any value available via
macros, e.g., HOST, MESSAGE, PROGRAM, or any user-defined macros created
using parsers" so modifying LEVEL is not listed but its not explicitly
excluded either.
I tried "rewrite r_norm {set("1", value("LEVEL")); };" but that didn't
work.
However "rewrite r_norm {set("FOO", value("MESSAGE")); };" and "rewrite
r_norm {set("BAR", value("PROGRAM")); };" work as expected.
Are there limitations as to which parts of a message I can rewrite? Are
there some fuller examples hanging around?
Thanks,
Chris
More information about the syslog-ng
mailing list