[syslog-ng] How to rewrite structured data - XML, Windows Events and format-json
Jim Hendrick
james.r.hendrick at gmail.com
Tue Aug 28 18:31:14 UTC 2018
I am struggling with a configuration to rewrite specific sections of a
Windows Event log message and then send them along to splunk (I think json
is probably the easiest for splunk to ingest).
Many windows events contain extraneous text (e.g. "This event.....") that I
would like to remove.
I have been able to rewrite it using a regex
"This event.*</Message>" and replacing that with "DEADBEEF</Message>"
The problem is that I can only see this in a test file destination and not
in one that uses format-json (I set this up from the syslog-ng WEF
configuration guide)
Has anyone done anything like this?
I think my problem is that I don't understand how the message is changed
from it's arrival through processing. My test can rewrite it within MSG or
MESSAGE - but when I try to use the rewrite() in the log statement using
the format-json destination, nothing seems to be changed.
Tips?
Thanks!
Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180828/2fbe050d/attachment.html>
More information about the syslog-ng
mailing list