[syslog-ng] issue with rewrite. Please help.

Balint Kovacs balint.kovacs at balabit.com
Fri Jun 15 16:26:57 CEST 2012 

Hi Hithendra,

I came across this problem just recently, I guess that you want to 
handle Solaris logs with the standard Unix analysis ruleset, but the 
these tags are in the way.  The only difference is, that I moved the tag 
to the end of the message (as patterndb does prefix matching, these 
don't bother my patterns but are still there). My rewrite rule is the 
following:

rewrite r_solaris
   {
      #move the solaris header to the end of the message
      #to work with linux patterndb
      subst("(\[ID [0-9]* [a-z]*\.[a-z]*\])\ " "" value("MESSAGE") 
type("pcre") flags(store-matches));
      subst("$" " $1" value("MESSAGE") type("pcre"));
   };

If you don't want to move it (backreferencing is quite slow and 
resource-intensive), you could just use this untested version:

rewrite r_solaris
   {
      subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE") 
type("pcre") flags(dont-store-matches));
   };

HTH,
Balint


On 06/15/2012 05:39 AM, Balla, Hithendra (EXT-Other - IN/Bangalore) wrote:
>
> Hi all,
>
> We have the followinglog
>
> 2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6*[ID 800047 
> auth.info]*Accepted publickey for xyz
>
> We wanted to replace*[ID 800047 auth.info]*with*empty 
> string*(i.e."")and print the following
>
> 2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 Accepted publickey for xyz
>
> So we have used the below re-write with subst. But this is not 
> workingin*syslog-ng 3.4.0alpha2*.
>
> rewrite rw_msg{*subst*("\\[.*\\]", "", value("MESSAGE"));};
>
> Can somebody help out here?
>
> Thanks
>
> Hithendra
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120615/f0e488ee/attachment-0001.htm

More information about the syslog-ng mailing list