[syslog-ng] Parsing more than MSG macro
Gergely Nagy
algernon at madhouse-project.org
Wed Mar 11 11:42:44 CET 2015
>>>>> "Thomas" == Thomas Straubinger <thomas.straubinger at nic.at> writes:
Thomas> Hello,
Thomas> is there a way to process more than the $MSG macro with a
Thomas> syslog-ng parse filter?
You can use the template() setting within the parser...
Thomas> We are forwarding our syslogs via rsyslog in this format (client config):
Thomas> $template tmpl_forward,"%hostname% %syslogtag% \"%msg%\"\n"
Thomas> *.* @@syslog:514;tmpl_forward
...though in this case, I would recommend using flags(no-parse) in the
source that consumes these messages. Then $MSG will contain the whole
line, and you are free to parse it in whatever way you wish. (Though, to
parse the date part, properly, you may need a very recent syslog-ng)
--
|8]
More information about the syslog-ng
mailing list