[syslog-ng] issue with rewrite. Please help.

Balla, Hithendra (EXT-Other - IN/Bangalore) hithendra.balla.ext at nsn.com
Tue Jun 19 09:16:05 CEST 2012


Hi Balint and all,

Can you guide us here on what might be the issue ?

Thanks
Hithendra 

-----Original Message-----
From: Balla, Hithendra (EXT-Other - IN/Bangalore) 
Sent: Monday, June 18, 2012 6:53 PM
To: 'Syslog-ng users' and developers' mailing list'
Subject: RE: [syslog-ng] issue with rewrite. Please help.

Hi Balint,
Thanks for the reply. 

I tried the below rewrite

rewrite r_solaris
   {
      subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE") 
type("pcre") flags(dont-store-matches));
   };

It works for auth.info, but it does not work with local7.info  or
local6.info as the regex does not handle numerals in the facility field.
I tried changing it as follows (i.e. added [0-9] before .)., but with
this, this dumps core. Addition of any numeral in this position results
in a core dump

	subst("\[ID [0-9]* [a-z]*[0-9]\.[a-z]*\]\ " "" value("MESSAGE")


We have tried the following.

logger -p local7.info "HELLO|KUAAA"  --> Did not work 
logger -p local6.info "HELLO|KUAAA"  --> Did not work
logger -p auth.info "Accepted password for root" --> Worked. 

Thanks
Hithendra



-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu on behalf of ext Balint Kovacs
Sent: Fri 6/15/2012 10:26 PM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] issue with rewrite. Please help.
 
Hi Hithendra,

I came across this problem just recently, I guess that you want to 
handle Solaris logs with the standard Unix analysis ruleset, but the 
these tags are in the way.  The only difference is, that I moved the tag

to the end of the message (as patterndb does prefix matching, these 
don't bother my patterns but are still there). My rewrite rule is the 
following:

rewrite r_solaris
   {
      #move the solaris header to the end of the message
      #to work with linux patterndb
      subst("(\[ID [0-9]* [a-z]*\.[a-z]*\])\ " "" value("MESSAGE") 
type("pcre") flags(store-matches));
      subst("$" " $1" value("MESSAGE") type("pcre"));
   };

If you don't want to move it (backreferencing is quite slow and 
resource-intensive), you could just use this untested version:

rewrite r_solaris
   {
      subst("\[ID [0-9]* [a-z]*\.[a-z]*\]\ " "" value("MESSAGE") 
type("pcre") flags(dont-store-matches));
   };

HTH,
Balint


On 06/15/2012 05:39 AM, Balla, Hithendra (EXT-Other - IN/Bangalore)
wrote:
>
> Hi all,
>
> We have the followinglog
>
> 2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6*[ID 800047 
> auth.info]*Accepted publickey for xyz
>
> We wanted to replace*[ID 800047 auth.info]*with*empty 
> string*(i.e."")and print the following
>
> 2012-06-15T09:00:26+05:30 kddi-cm-1-sb 4/6 Accepted publickey for xyz
>
> So we have used the below re-write with subst. But this is not 
> workingin*syslog-ng 3.4.0alpha2*.
>
> rewrite rw_msg{*subst*("\\[.*\\]", "", value("MESSAGE"));};
>
> Can somebody help out here?
>
> Thanks
>
> Hithendra
>
>
>
>
________________________________________________________________________
______
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>





More information about the syslog-ng mailing list