[syslog-ng] Replace hostname with a hostname extracted from the message

Wed Nov 14 11:26:33 CET 2012

Clayton Dukes <cdukes at gmail.com> writes:

> Hi Folks,
> How can I extract a hostname from the message and replace the source ip
> with that name/ip address?
>
> Sample message:
> Nov 13 18:11:00 myhostname mymessage: Original
> Host=192.168.6.3:LOW_THRESHOLD_EVENT
> - 0 AUTHORIZED sessions
>
> So, I need a rewrite rule(?) to take 192.168.6.3 and replace $HOST with it:
> Nov 13 18:11:00 92.168.6.3 mymessage:LOW_THRESHOLD_EVENT - 0
> AUTHORIZED sessions

Do you want to replace 'myhostname' with the IP, or the IP with
myhostname?

If you want to replace myhostname with the IP, and remove the "Original
Host=$IP" part of the message, you will need to pick out the IP from the
message part (either with patterndb, or some other way), then create a
rewrite rule that removes it from $MESSAGE. Then, on the destination
side, I'd use a template to re-assemble the thing, replacing $HOST with
the extracted IP address.

If you want to replace the IP with the hostname, that's a little bit
easier:

rewrite r_subst_ip {
 subst("Original Host=[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*", "$HOST",
       value("MESSAGE"));
};

-- 
|8]