[syslog-ng] Replace hostname with a hostname extracted from the message

[Clayton Dukes]

Thanks Gergely,
I was trying to replace myhostname with the IP (removing the "Original
Host=$IP"
part of the message would be optional).
I thought it would have to be done using something like patterndb, but
wasn't sure.
I'll try to read up and figure out how to do it, as my patterndb experience
is a bit lacking still :-)


______________________________________________________________

Clayton Dukes
______________________________________________________________


On Wed, Nov 14, 2012 at 5:26 AM, Gergely Nagy <algernon at balabit.hu> wrote:

> Clayton Dukes <cdukes at gmail.com> writes:
>
> > Hi Folks,
> > How can I extract a hostname from the message and replace the source ip
> > with that name/ip address?
> >
> > Sample message:
> > Nov 13 18:11:00 myhostname mymessage: Original
> > Host=192.168.6.3:LOW_THRESHOLD_EVENT
> > - 0 AUTHORIZED sessions
> >
> > So, I need a rewrite rule(?) to take 192.168.6.3 and replace $HOST with
> it:
> > Nov 13 18:11:00 92.168.6.3 mymessage:LOW_THRESHOLD_EVENT - 0
> > AUTHORIZED sessions
>
> Do you want to replace 'myhostname' with the IP, or the IP with
> myhostname?
>
> If you want to replace myhostname with the IP, and remove the "Original
> Host=$IP" part of the message, you will need to pick out the IP from the
> message part (either with patterndb, or some other way), then create a
> rewrite rule that removes it from $MESSAGE. Then, on the destination
> side, I'd use a template to re-assemble the thing, replacing $HOST with
> the extracted IP address.
>
> If you want to replace the IP with the hostname, that's a little bit
> easier:
>
> rewrite r_subst_ip {
>  subst("Original Host=[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*", "$HOST",
>        value("MESSAGE"));
> };
>
> --
> |8]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121114/08de016e/attachment.htm