[syslog-ng] change msg text before db inserting
Balazs Scheidler
bazsi at balabit.hu
Fri Jun 26 10:24:42 CEST 2009
On Fri, 2009-06-26 at 10:14 +0200, Henk van Lingen wrote:
> Hi,
>
> Is is possible to change the message text before it is inserted
> into a database?
>
> I have syslog-ng-3.0.2 running and it does insert the messages directly
> into a PostgreSQL database, using the new sql(type(pgsql) destination
> feature.
>
> The problem is I have lots of cisco firewall loggings, and in the database
> I have of gin index for doing full text searching. For this index,
> the database decomposes the message into tokens. I want to be able to
> search on IP-numbers. However, in lines like
>
> world/123.456.192.46(0) -> some-fwsm/123.456.221.121(0)
>
> this won't work because the tokens are world/123.456.192.46 and
> /123.456.192.46, not 123.456.192.46.
>
> To solve the prob it would be nice if there is a way to replace the slashes
> with spaces before the message goes to the database.
You could perhaps be interested in the new db-parser() feature, see the
related blog posts about that.
To simply replace '/' with ' ' is quite easy:
rewrite r_replace_slashes { subst(' ', '/' flags(global)); };
--
Bazsi
More information about the syslog-ng
mailing list