[syslog-ng] Parsing message in unstructured rows
Giovanni Mancuso
giovanni.mancuso at par-tec.it
Mon Sep 7 18:10:59 CEST 2015
Hi,
I have an application that log date in every rows. The problem is that
the string isn't in specific part of MESSAGE, but it could be the first
element or the last element, or in the middle :-) :-)
For example (only MESSAGE):
User: user1 at example.com *Date: 12/12/2014* Status: OK
User: user2 at example.com ID: 1234 Status: DEL ....... *Date: 03/05/2014
Date: 05/08/2015 *User:**user3 at example.com ....... Stauts: OK*
*.........
I want split the log in more files arranged in different path builded by
the date information, for example /LOGS/YYYY/MM/DD/mylog.log.
I do:
Konsole output
rewrite r_rewrite_set {
set("$(python get_data)", value("APP.DATE"));
};
python{
import re
def get_data(logmsg):
out=None
vars(logmsg)
out = re.findall(" Date: (\d\d/\d\d/\d\d\d\d) ", logmsg.MESSAGE)
if len(out) == 1:
return out[0]
else:
raise Exception("Invalid match")
};
In this way i have in APP.DATE the date.
Now i have a some questions:
1) Is there another way to do this without python?
2) In this way for every message, syslog-ng forks and exec a python
interpreter?
3) Is there a way to add custom SDATA field from python? Or is there a
way to create APP.DATE from python without rewrite rule?
4) Is there a documentation about python{}? I only found a post in a blog.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150907/82732356/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: giovanni_mancuso.vcf
Type: text/x-vcard
Size: 319 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150907/82732356/attachment.vcf
More information about the syslog-ng
mailing list