[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages
Thomas Wollner
tw at wollner-net.de
Wed Nov 30 18:26:34 CET 2011
Hello List,
I try to rewrite cisco IOS syslog messages with timestamps in the
MESSAGE field. I want to remove the timestamp from the message and set
the program to the so called mnemonic of the message..
I found the following example on the list:
...
filter f_rewrite_cisco_program {
match('%([^:]: ([^\n]+)' value("MESSAGE") type("pcre")
flags("store-matches" "nobackref"));
};
rewrite r_cisco_program {
set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
};
log {
source(s_all);
rewrite(r_cisco_program);
destination(d_mydestination);
};
But that does not work. I tried a lot of different rewrite syntaxes,
none of them work for me.
If I just employ the filter f_rewrite_cisco_program I` am able to
filter out the cisco messages.
Sample log line (written with template $R_ISODATE $HOST $MSG):
2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49:
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
I`m using syslog-ng 3.3.3 debian package from madhouse.
How I can rewrite my messages to filter the timestamp in the message field?
any ideas?
Any help is higly welcome,
thanks in advance,
Tom
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the syslog-ng
mailing list