[syslog-ng] [EXTERNAL] Re: Regular expressions in rewrite

Attila Szakacs (aszakacs) Attila.Szakacs at oneidentity.com
Fri Sep 6 06:12:01 UTC 2019 

Hi Mark,

You are right, unset(value("copy_of_host")) is the way to go. 🙂

Regards,
Attila
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine at nasa.gov>
Sent: Thursday, September 5, 2019 3:17 PM
To: wernli at in2p3.fr <wernli at in2p3.fr>; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] [EXTERNAL] Re: Regular expressions in rewrite

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Thanks, this seems to work, though I had to change the unset to:

 unset(value("copy_of_host"))

I can't find anything in the docs for unset without using value().  Is this correct or does it change what is being done?

Thanks,
-Mark


-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Fabien Wernli
Sent: Monday, August 5, 2019 03:12
To: syslog-ng at lists.balabit.hu
Subject: [EXTERNAL] Re: [syslog-ng] Regular expressions in rewrite

On Fri, Aug 02, 2019 at 01:40:13PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
> Is there a way to use regular expressions when setting a value in a rewrite rule?
[...]
> But without changing the actual log message.  The goal is to create a variable from a regular expression of the host field in the message that I can then use in a destination path.

You could copy the content of HOST into another macro, then use subst on the
copy:

  rewrite r_rewrite_set_host{
    set("$HOST", value("copy_of_host"));
    subst("^[a-z]+\-([a-z]+).*$", "$1", value("copy_of_host"));
    set("$copy_of_host" value("location")
      condition(
        filter(f_filter_hostnames)
      )
    );
    unset('copy_of_host');
  }

Note that you could also use named matches in subst:

  subst("^[a-z]+\-(?<location>[a-z]+).*$", "$1", value("copy_of_host"));

______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C606d92cc831042c4c0e608d73203713c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637032862689057245&sdata=sotKBOfA%2BKH7rCQn6g7Q9k8kbKeRysWAHXWUTpKbtwU%3D&reserved=0=
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C606d92cc831042c4c0e608d73203713c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637032862689057245&sdata=ReyBNEcyBUCAOrOmw4utFVYnbTKc8aqqjXST%2FoTZIZ8%3D&reserved=0=
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C606d92cc831042c4c0e608d73203713c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637032862689057245&sdata=%2BJNBJmGRhREZfQk8FEMJT7AMR71LXwcZzEUXbCidVB0%3D&reserved=0=

______________________________________________________________________________
Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C606d92cc831042c4c0e608d73203713c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637032862689057245&sdata=sotKBOfA%2BKH7rCQn6g7Q9k8kbKeRysWAHXWUTpKbtwU%3D&reserved=0
Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C606d92cc831042c4c0e608d73203713c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637032862689057245&sdata=ReyBNEcyBUCAOrOmw4utFVYnbTKc8aqqjXST%2FoTZIZ8%3D&reserved=0
FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cattila.szakacs%40oneidentity.com%7C606d92cc831042c4c0e608d73203713c%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637032862689057245&sdata=%2BJNBJmGRhREZfQk8FEMJT7AMR71LXwcZzEUXbCidVB0%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190906/0ed92f91/attachment-0001.html>

More information about the syslog-ng mailing list