[syslog-ng] rewrite part of the message...
Evan Rempel
erempel at uvic.ca
Sat May 11 06:33:35 CEST 2013
I don't know what the original message looks like that you are trying to substitute in, but I think the issue may be with the \s+ you could try \s* in case there is not any whitespace at the beginning.
Also since pcre is greedy by default the \| is not necessary. The [^|]+ (which should probably be [^|]* in case the | follows immediately) will by definition be followed by a | or the end of line.
Evan Rempel 250.271.7691
University Systems, University of Victoria
Russell Fulton <r.fulton at auckland.ac.nz> wrote:
I got this going with:
rewrite r_snarex { subst("\s+This event is generated when.+", "", value("MSGONLY") type("pcre"));};
Does this mean that my syslog_ng does not support pcre?
Russell
On 11/05/2013, at 2:29 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Apologies to those of you who have already seen this on the ELSA list.
>
> I want to get rid of the explanatory essay that accompanies some eventlog messages from windows.
>
> I tried this:
>
> rewrite r_snarex { subst("\s+This event is generated when[^|]+\|", "|", value("MSGONLY") type("pcre"));
> };
>
> and added it to log section, but it did not work. I have tried various variations on the theme too.
>
> Russell
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list