[syslog-ng] syslog-ng 3.3.3 rewrite question regarding cisco IOS Messages

Patrick H. syslogng at feystorm.net
Wed Nov 30 20:23:25 CET 2011 

Should probably throw something in there to make that match a little 
less ambiguous (so it doesnt match just anything with a % and : in it).



Sent: Wed Nov 30 2011 12:20:03 GMT-0700 (MST)
From: Martin Holste <mcholste at gmail.com>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] syslog-ng 3.3.3 rewrite question regarding 
cisco IOS Messages
> That was mine, and I think there's a couple mistakes in it because
> there appears to a be a missing parenthesis and a plus sign.  Try
> this:
>
> match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre")
>
> On Wed, Nov 30, 2011 at 11:26 AM, Thomas Wollner<tw at wollner-net.de>  wrote:
>> Hello List,
>>
>> I try to rewrite cisco IOS syslog messages with timestamps in the
>> MESSAGE field. I want to remove the timestamp from the message and set
>> the program to the so called mnemonic of the message..
>>
>> I found the following example on the list:
>>
>> ...
>> filter f_rewrite_cisco_program {
>>   match('%([^:]: ([^\n]+)' value("MESSAGE") type("pcre")
>> flags("store-matches" "nobackref"));
>> };
>>
>> rewrite r_cisco_program {
>>   set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program)));
>>   set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program)));
>> };
>>
>> log {
>>   source(s_all);
>>   rewrite(r_cisco_program);
>>   destination(d_mydestination);
>> };
>>
>> But that does not work. I tried a lot of different rewrite syntaxes,
>> none of them work for me.
>> If I just employ the filter f_rewrite_cisco_program I` am able to
>> filter out the cisco messages.
>>
>> Sample log line (written with template $R_ISODATE $HOST $MSG):
>>
>> 2011-11-30T18:23:50+01:00 192.168.1.1 217122: Nov 30 17:23:49:
>> %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
>> changed state to down
>>
>> I`m using syslog-ng 3.3.3 debian package from madhouse.
>>
>> How I can rewrite my messages to filter the timestamp in the message field?
>> any ideas?
>>
>> Any help is higly welcome,
>> thanks in advance,
>>
>> Tom
>>
>>
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111130/729a8516/attachment.htm

More information about the syslog-ng mailing list