[syslog-ng] Parsing more than MSG macro
Thomas Straubinger
thomas.straubinger at nic.at
Thu Mar 12 11:14:29 CET 2015
Thanks Gergely, works fine! :-)
-----Ursprüngliche Nachricht-----
Von: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Gergely Nagy
Gesendet: Mittwoch, 11. März 2015 11:43
An: syslog-ng at lists.balabit.hu
Betreff: Re: [syslog-ng] Parsing more than MSG macro
>>>>> "Thomas" == Thomas Straubinger <thomas.straubinger at nic.at> writes:
Thomas> Hello,
Thomas> is there a way to process more than the $MSG macro with a
Thomas> syslog-ng parse filter?
You can use the template() setting within the parser...
Thomas> We are forwarding our syslogs via rsyslog in this format (client config):
Thomas> $template tmpl_forward,"%hostname% %syslogtag% \"%msg%\"\n"
Thomas> *.* @@syslog:514;tmpl_forward
...though in this case, I would recommend using flags(no-parse) in the
source that consumes these messages. Then $MSG will contain the whole
line, and you are free to parse it in whatever way you wish. (Though, to
parse the date part, properly, you may need a very recent syslog-ng)
--
|8]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list