[syslog-ng] Regular expressions in rewrite

Gabor Nagy (gnagy) Gabor.Nagy at oneidentity.com
Tue Aug 6 07:56:48 UTC 2019


I would rephrase your question:
Is there a way to extract information with regular expression out of a message without changing the given value?
In short: yes, but not in one step.

I would do something similar to Fabien's answer, you need to copy the given value to protect it.

I was thinking on how can you save some steps, maybe with using the regex capture groups $0, $1 variables,
E.g.
filter { match("^[a-z]+\-([a-z]+).*$", value("HOST") flags(store-matches)); }
rewrite { set("$1" value("location")); };

Or how to save using "copy_of_host" temporary variable, but in every case you end up with additional complexity.

Regards,
Gabor

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Fabien Wernli <wernli at in2p3.fr>
Sent: Monday, August 5, 2019 10:12
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Regular expressions in rewrite

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


On Fri, Aug 02, 2019 at 01:40:13PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
> Is there a way to use regular expressions when setting a value in a rewrite rule?
[...]
> But without changing the actual log message.  The goal is to create a variable from a regular expression of the host field in the message that I can then use in a destination path.

You could copy the content of HOST into another macro, then use subst on the
copy:

  rewrite r_rewrite_set_host{
    set("$HOST", value("copy_of_host"));
    subst("^[a-z]+\-([a-z]+).*$", "$1", value("copy_of_host"));
    set("$copy_of_host" value("location")
      condition(
        filter(f_filter_hostnames)
      )
    );
    unset('copy_of_host');
  }

Note that you could also use named matches in subst:

  subst("^[a-z]+\-(?<location>[a-z]+).*$", "$1", value("copy_of_host"));

______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C9ae0dd2587e04543dfe208d7197c9f22%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637005895380866512&sdata=GegzgWOACep%2B4YsTraFe%2F7MZ3%2BWNsb1x%2FHJtasU5qpc%3D&reserved=0
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C9ae0dd2587e04543dfe208d7197c9f22%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637005895380866512&sdata=uIo3wnwp9BLyVWNiMK8CrveMuQkm5pihfs3wdvSOjHk%3D&reserved=0
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7C9ae0dd2587e04543dfe208d7197c9f22%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637005895380876506&sdata=u7Ol9JwXwLNuEZDmiZtE7qRZp3mix73IUBH9ORyUYII%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190806/f24fa536/attachment-0001.html>


More information about the syslog-ng mailing list