[syslog-ng] Rewrite Rule Syntax Confusion

Matthew Hall mhall at mhcomputing.net
Fri Aug 27 02:50:41 CEST 2010 

Hello all,

I am trying to make a combination of a template and a rewrite rule to 
write my messages into an extension of WELF format to make them easier 
to process downstream (the entire point of patterndb I guess).

The template part was trivial and works perfectly. I just used some 
regex hacking to extract all 45 variable names I used in my patterndbs, 
then used gawk to dump them out into a giant (escaped) string like this, 
and pasted it to the config file.

template("var1=\"$var1\" var2=\"$var2\" ...\n");

One minor thing: Currently I am forced to expand varfoo="$varfoo" even 
if the value of $varfoo is empty because a particular message did not 
contain "$varfoo".

I suspect I could fix this by writing a C plugin which checks the length 
before expanding but I wondered if there were an easier way.

Else maybe we could make this WELF output techniquie available for 
everybody because I think the problem could be very common. In any case 
I can always make the downstream ignore empty expansions for now.

The only problem: I want one field at the end of the message to be named 
'raw' and contain a double-quote-escaped copy of the raw message. That 
way if the message contains double quote characters it won't break a 
parser because they will be escaped right.

Here is how I thought of doing this after reading the manual:

rewrite r_add_raw {
    set(subst("\"", "\\\"", value("$MSGHDR$MSG"), flags("global")), value("raw"));
}

However I am getting hit with this syntax error:

WARNING: Your configuration uses a newly introduced reserved word as 
identifier, please use a different name; keyword='subst', 
filename='welf.conf', line='2'

Apparently I did it wrong, or there is a reason I can't call set on my 
raw variable to set the raw variable to the double quote escaped string 
subst'ed from input message in $MSGHDR$MSG. I really hope somebody can 
comment about how to fix it so that double quotes in the input won't 
blow things up.

For now I worked around it temporarily just to get up and running by 
adding raw=\"$MSGHDR$MSG\" to the end of my template just to see if it 
would work OK and it does work OK when you don't have double quotes in 
there.

Matthew.

More information about the syslog-ng mailing list