[syslog-ng] [EXTERNAL] Re: Regular expressions in rewrite

Faine, Mark R. (MSFC-IS40)[NICS] mark.faine at nasa.gov
Thu Sep 5 13:17:38 UTC 2019 

Thanks, this seems to work, though I had to change the unset to:

 unset(value("copy_of_host")) 

I can't find anything in the docs for unset without using value().  Is this correct or does it change what is being done?

Thanks,
-Mark


-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Fabien Wernli
Sent: Monday, August 5, 2019 03:12
To: syslog-ng at lists.balabit.hu
Subject: [EXTERNAL] Re: [syslog-ng] Regular expressions in rewrite

On Fri, Aug 02, 2019 at 01:40:13PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
> Is there a way to use regular expressions when setting a value in a rewrite rule?
[...]
> But without changing the actual log message.  The goal is to create a variable from a regular expression of the host field in the message that I can then use in a destination path.

You could copy the content of HOST into another macro, then use subst on the
copy:

  rewrite r_rewrite_set_host{
    set("$HOST", value("copy_of_host"));
    subst("^[a-z]+\-([a-z]+).*$", "$1", value("copy_of_host"));
    set("$copy_of_host" value("location")
      condition(
        filter(f_filter_hostnames)
      )
    );
    unset('copy_of_host');
  }

Note that you could also use named matches in subst:

  subst("^[a-z]+\-(?<location>[a-z]+).*$", "$1", value("copy_of_host"));
 
______________________________________________________________________________
Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=VeXv8ibeutHayPOWALz_Odr6iQBJTWlu7tzba6HghGg&s=TIjFpbQpxpS-i_iVPjb2Rmi0RGaNV5HJySImaO0SzLU&e= 
Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=VeXv8ibeutHayPOWALz_Odr6iQBJTWlu7tzba6HghGg&s=BLejj5zotqBIUlhcY_0TFs2U_AWw9WxaBwGaUA-7xHY&e= 
FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=VeXv8ibeutHayPOWALz_Odr6iQBJTWlu7tzba6HghGg&s=stXbIwGqXmSMTLgY7YtqMRNxJWv0yjGCKjg-aeF4q1M&e=

More information about the syslog-ng mailing list