[syslog-ng] issues with rewrite and subst

Antal Nemes (anemes) Antal.Nemes at oneidentity.com
Tue Apr 14 05:49:07 UTC 2020


You need double escaping:

With this version, it worked for me:

    rewrite { subst("^.+\\((.+)\\)", "${1}", value("user_name")) ;};

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Russell Fulton <r.fulton at auckland.ac.nz>
Sent: Sunday, April 12, 2020 23:03
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] issues with rewrite and subst

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

version 3.26.1

I am attempting to use rewrite to copy part of one macro into a new one:

rewrite r_user1 { set( "${user}", value("user_name"));};
rewrite r_user2 { subst( "^.+\((.+)\)", "${1}", value("user_name")) ;};

The first simply copies user into user_name.
The second is intended to extract anything in parentheses and throw away the rest.

here is a cleaned up dump of json output including the macros from the regexp:

{"user_name":")","user”:”yyyyn at gmail.com(xxx549)","2":")","1":")","0”:”yyyy at gmail.com(xxx549)”}

I believe ‘1’ should contain ‘xxx549’ not ‘)’.

I have tested the regexpn in ruby’s irb and it works fine there.

here is another example this one where the regexp should not have matched at all:


macros 1 and 2 always seem to contain the last character of the original string.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200414/77b13ea9/attachment.html>

More information about the syslog-ng mailing list