[syslog-ng] Replace hostname with a hostname extracted from the message
Gergely Nagy
algernon at balabit.hu
Wed Nov 14 14:50:55 CET 2012
Clayton Dukes <cdukes at gmail.com> writes:
> Thanks Gergely,
> I was trying to replace myhostname with the IP (removing the "Original
> Host=$IP"
> part of the message would be optional).
> I thought it would have to be done using something like patterndb, but
> wasn't sure.
A quick & dirty solution is to abuse the CSV parser, twice (do note that
I haven't tested it):
parser p_split_at_doublecolon {
csv-parser(columns("csv.orig_host", "csv.message"), flags(greedy));
};
parser p_split_at_equal {
csv-parser(columns("csv.dummy", "csv.ip"), template("${csv.orig_host}"));
};
rewrite r_reassemble {
set(":${csv.message}", value("MESSAGE"));
set("${cvs.ip}", value("HOST"));
};
log {
source(s_yoursource);
parser(p_split_at_doublecolon);
parser(p_split_at_equal);
rewrite(r_reassemble);
destination(d_yourdestination);
};
What this does, is split the original message into two parts: one before
the first ":", and the rest after (we need the greedy flag for this, so
that if the message contains more ":" chars, the parser won't split
there, but attach that to csv.message). The first part will be stored in
"csv.orig_host", the other in "csv.message", neither will contain the
":" itself.
Then, we use a similar trick to break the orig_host part apart:
everything in it after the equal sign is the IP.
After this two, we have the following things set up:
csv.orig_host = "Original Host=192.168.6.3"
csv.message = "LOW_THRESHOLD_EVENT - 0 AUTHORIZED sessions"
csv.dummy = "Original Host"
csv.ip = "192.168.6.3"
More information about the syslog-ng
mailing list