[syslog-ng] Parsing more than MSG macro
Thomas Straubinger
thomas.straubinger at nic.at
Tue Mar 10 16:40:25 CET 2015
Hello,
is there a way to process more than the $MSG macro with a syslog-ng parse filter?
We are forwarding our syslogs via rsyslog in this format (client config):
$template tmpl_forward,"%hostname% %syslogtag% \"%msg%\"\n"
*.* @@syslog:514;tmpl_forward
I have created the following parser rule in syslog-ng:
parser p_INTERNAL {
csv-parser(columns("INTERNAL.TIME_LOGGED", "INTERNAL.TIME_RECEIVED", "INTERNAL.RELAY_HOST", "INTERNAL.LOGGING_HOST", "INTERNAL.PROGRAM", "INTERNAL.MESSAGE")
flags(escape-double-char,strip-whitespace)
delimiters(" ")
quote-pairs('""[]')
);
};
I want to create the logfile in this format:
destination d_intern2 {
file("/log-local/__OPS__/$YEAR-$MONTH/xxx-${INTERN.LOGGING_HOST}.log"
);
};
Unfortunately, syslog-ng does not fill up the $MSG macro with the hole content provided by the client via "%hostname% %syslogtag% \"%msg%\"\n". So it's not possible to fill (parse) the desired 'INTERNAL.LOGGING_HOST' variable. How could i achieve, to, get the content of %hostname% (sent by rsyslog) into the 'INTERNAL.LOGGING_HOST' variable of syslog-ng?
Thank you!
Thomas
More information about the syslog-ng
mailing list