[syslog-ng] Replace hostname with a hostname extracted from the message
Gergely Nagy
algernon at balabit.hu
Wed Nov 14 17:56:19 CET 2012
Clayton Dukes <cdukes at gmail.com> writes:
> Hi Gergely,
> I'm trying to understand this :-)
>
> Where are the delimiters in the above example?
> How does it know to split at a double colon?
> How does it know to split at the equal?
Duh! I forgot to include them (so it defaults to whitespace). Add a
delimiters(":") to the first, and delimiters("=") to the second.
Sorry!
> Are they just assumed delimiters because they are non-alpha characters?
>
> The folks I am working on this for changed the message format a bit
> yesterday, so now messages appear as (example):
> Nov 14 15:26:30 somehostname startofmessage:
> %SYS-3-LOW_THRESHOLD:DEVICENAME Original Address=192.168.1.1
> LOW_THRESHOLD_EVENT - 0 AUTHORIZED sessions
This'll be a little harder to do with csv-parser, but not impossible!
You'd need to split on "=" first (into, say, csv.first_part and
csv.second_part). Then split the first part on whitespace (into
csv.cisco_thingy, and some dummy), then split the second part on
whitespace (into csv.ip and csv.message).
--
|8]
More information about the syslog-ng
mailing list