[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages
Gergely Nagy
algernon at balabit.hu
Fri Dec 2 10:54:04 CET 2011
Gergely Nagy <algernon at balabit.hu> writes:
>>>> can you reproduce the error? or do you have a working example for
>>>> conditional rewrites?
>>>
>>> Didn't get that far yet, will see in about half an hour or so.
>>
>> Yep, reproduced. filter in itself catches it nicely, rewrite fails:
>
> And I have a suspicion where the problem lies. With a bit of luck, I'll
> have a solution by tomorrow.
While I don't yet have a solution, I know where the problem is, and am
working on a fix.
For the time being, I can offer a workaround: if you inline the
condition, instead of using filter() inside the condition, that will
work:
rewrite r_cisco_program_inline {
set("$1", value("PROGRAM"), condition(
match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref"))
));
set("$2", value("MESSAGE"), condition(
match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
flags("store-matches" "nobackref"))
));
};
This is inconvenient, slow and ugly and in the long term,
unmaintainable, but works until I prepare a correct fix for the
condition(filter(foo)) case.
--
|8]
More information about the syslog-ng
mailing list