[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages

Thomas Wollner tw at wollner-net.de
Fri Dec 2 11:38:21 CET 2011


Hi,

yes, the workaround works for me. Thank you very much!
Hope you get the cause of quickly.

Thanks again for your time!


best regards,

Tom



Zitat von Gergely Nagy <algernon at balabit.hu>:

> Gergely Nagy <algernon at balabit.hu> writes:
>
>>>>> can you reproduce the error? or do you have a working example for
>>>>> conditional rewrites?
>>>>
>>>> Didn't get that far yet, will see in about half an hour or so.
>>>
>>> Yep, reproduced. filter in itself catches it nicely, rewrite fails:
>>
>> And I have a suspicion where the problem lies. With a bit of luck, I'll
>> have a solution by tomorrow.
>
> While I don't yet have a solution, I know where the problem is, and am
> working on a fix.
>
> For the time being, I can offer a workaround: if you inline the
> condition, instead of using filter() inside the condition, that will
> work:
>
> rewrite r_cisco_program_inline {
>   set("$1", value("PROGRAM"), condition(
>    match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")   
> flags("store-matches" "nobackref"))
>   ));
>   set("$2", value("MESSAGE"), condition(
>    match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
>     flags("store-matches" "nobackref"))
>   ));
> };
>
> This is inconvenient, slow and ugly and in the long term,
> unmaintainable, but works until I prepare a correct fix for the
> condition(filter(foo)) case.
>
> --
> |8]
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:   
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




More information about the syslog-ng mailing list