[syslog-ng] Dynamic setting value out of message?

Nagy Gábor gabor.hl at gmail.com
Wed Jun 30 15:24:21 UTC 2021

Hi Matthias,

May I ask, is the key 'MESSAGE' fix and the value is changing between
For that you could parse the incoming json with json-parser() and store the
parsed key-values, then you can easily set the desired SDATA field with a
rewrite rule.

Alternatively, you can set the "store-matches" flag for filters and use the
matching groups in a follow-up rewrite rule.


On Tue, 29 Jun 2021, 10:42 Matthias Gruber, <MGruber at metzler.com> wrote:

> Hi!
> I hope it is simple and my thoughts and seeks about it were to complicated
> :-), simply I didnt know how to do that, perhaps someone has a clue for me
> I am getting e.g. messages like
> "MESSAGE": "UIMUC4Maintenance.py: \"== deactivate_uc4_monitoring = ENDE
> ==\"",
> (thats out of an JSON-formatted syslog-ng output),
> What I would like to do is, to extract the 'UIMUC4Maintenance.py:' and put
> it into a SDATA-Custom-Variable or PROG but based on a regex
> so some sort of rewrite-rule like (no not a correct syntax, only to
> describe it)
> rewrite r_fill_program {
>   set(match("^\w*\.py:" value("MESSAGE")) value("PROG"));
> };
> As far as I understand it, set requires a "string" as first parameter, I
> could use a lots of rewrites with a condition, but I am in "lack of a
> static string", this should be some sort of variable :-)
> or I could do that static with a filter for every "^\w*\.py:"-Text, but I
> hope I could do that dynamic, every time a match of my regex syslog-ng
> inserts that part into a variable and so on...
> Is that possible?
> cheers
> Matthias
> ------------------------------------------------------------------------------------
> Informationstechnologie
> Matthias Gruber
> IT-Infrastruktur & -Betrieb
> B. Metzler seel. Sohn & Co.
> Aktiengesellschaft
> Untermainanlage 1
> 60329 Frankfurt am Main
> Telefon (0 69) 21 04 - 43 30
> Telefax (0 69) 21 04 - 40 40
> MGruber at metzler.com
> www.metzler.com
> Vorstand: Harald Illy, Emmerich Müller, Gerhard Wiesheu
> Vorsitzender des Aufsichtsrats: Dr. Christoph Schücking
> Sitz der Gesellschaft: Frankfurt am Main, Handelsregister-Nr. HRB 123 365
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfänger sein, so bitten wir Sie höflich, dies unverzüglich dem Absender
> mitzuteilen und die Nachricht zu löschen. Es ist unzulässig, die Nachricht
> unbefugt weiterzuleiten oder zu kopieren. Da wir nicht die Echtheit oder
> Vollständigkeit der in dieser Nachricht enthaltenen Informationen
> garantieren oder zusichern können, sind die vorstehenden Ausführungen
> rechtlich nicht bindend. Eine Haftung hierfür wird ausgeschlossen.
> This message is confidential. If you are not the intended recipient, we
> kindly ask you to inform the sender and delete the information. Any
> unauthorised dissemination or copying hereof is prohibited. As we cannot
> guarantee or assure the genuineness or completeness of the information
> contained in this message, the statements set forth above are not legally
> binding. Accordingly we cannot accept any liability for their contents.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210630/cdef2c50/attachment.html>

More information about the syslog-ng mailing list