[syslog-ng] Rewrite engine and backreferences
mike jack
mikebonjack at luukku.com
Thu Aug 12 08:19:38 CEST 2010
Hi list
A system XYZ produces "csv-like" logs. Fields are separated by whitespace and different columns have different meanings. The column titles are not included in log messages.
I would like to rewrite the log messages so that the column title is prefixed to each column contents. For example:
qwerty asdfg zxcvb 12345
would be rewritten to
system=qwerty action=asdfg flags=zxcvb result=12345
In perl that would be accomplished by backreferences, e.g.
s/(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/system=$1 action=$2 flags=$3 result=$4/
This does not seem to work with syslog-ng rewrite rules out of the box. This is what I have tried:
rewrite test_columns{subst("(\S+)\s+(\S+)\s+(\S+)\s+(\S+)", "system=$1 action=$2 flags=$3 result=$4", value("MESSAGE"));};
The rewriting works without regexp, so I assume that the configuration syntax is correct.
Is this possible with syslog-ng? If not using rewrite engine, does syslog-ng support feeding the logs through an external script? The system that produces the logs cannot be changed.
The syslog-ng version is 3.0.4
Thanks
....................................................................
Luukku Plus -paketilla pääset eroon tila- ja turvallisuusongelmista.
Hanki Luukku Plus ja helpotat elämääsi. http://www.mtv3.fi/luukku
More information about the syslog-ng
mailing list