[syslog-ng] issue with rewrite. Please help.
Balla, Hithendra (EXT-Other - IN/Bangalore)
hithendra.balla.ext at nsn.com
Tue Jun 19 09:16:05 CEST 2012
Hi Balint and all,
Can you guide us here on what might be the issue ?
Thanks
Hithendra
-----Original Message-----
From: Balla, Hithendra (EXT-Other - IN/Bangalore)
Sent: Monday, June 18, 2012 6:53 PM
To: 'Syslog-ng users' and developers' mailing list'
Subject: RE: [syslog-ng] issue with rewrite. Please help.
Hi Balint,
Thanks for the reply.
I tried the below rewrite
rewrite r_solaris
{
subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE")
type("pcre") flags(dont-store-matches));
};
It works for auth.info, but it does not work with local7.info or
local6.info as the regex does not handle numerals in the facility field.
I tried changing it as follows (i.e. added [0-9] before .)., but with
this, this dumps core. Addition of any numeral in this position results
in a core dump
subst("\[ID [0-9]* [a-z]*[0-9]\.[a-z]*\]\ " "" value("MESSAGE")
We have tried the following.
logger -p local7.info "HELLO|KUAAA" --> Did not work
logger -p local6.info "HELLO|KUAAA" --> Did not work
logger -p auth.info "Accepted password for root" --> Worked.
Thanks
Hithendra
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu on behalf of ext Balint Kovacs
Sent: Fri 6/15/2012 10:26 PM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] issue with rewrite. Please help.
Hi Hithendra,
I came across this problem just recently, I guess that you want to
handle Solaris logs with the standard Unix analysis ruleset, but the
these tags are in the way. The only difference is, that I moved the tag
to the end of the message (as patterndb does prefix matching, these
don't bother my patterns but are still there). My rewrite rule is the
following:
rewrite r_solaris
{
#move the solaris header to the end of the message
#to work with linux patterndb
subst("(\[ID [0-9]* [a-z]*\.[a-z]*\])\ " "" value("MESSAGE")
type("pcre") flags(store-matches));
subst("$" " $1" value("MESSAGE") type("pcre"));
};
If you don't want to move it (backreferencing is quite slow and
resource-intensive), you could just use this untested version:
rewrite r_solaris
{
subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE")
type("pcre") flags(dont-store-matches));
};
HTH,
Balint
On 06/15/2012 05:39 AM, Balla, Hithendra (EXT-Other - IN/Bangalore)
wrote:
>
> Hi all,
>
> We have the followinglog
>
> 2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6*[ID 800047
> auth.info]*Accepted publickey for xyz
>
> We wanted to replace*[ID 800047 auth.info]*with*empty
> string*(i.e."")and print the following
>
> 2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 Accepted publickey for xyz
>
> So we have used the below re-write with subst. But this is not
> workingin*syslog-ng 3.4.0alpha2*.
>
> rewrite rw_msg{*subst*("\\[.*\\]", "", value("MESSAGE"));};
>
> Can somebody help out here?
>
> Thanks
>
> Hithendra
>
>
>
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list