[syslog-ng] rewrite in syslog-ng
Evan Rempel
erempel at uvic.ca
Thu Sep 12 12:58:13 UTC 2024
The square brackets are special characters in a pcre expression and need to be escaped. The other tricky thing is that pcre expressions are greedy. By that I mean that this will match the first [ and then the LAST ] so in your example the following would be removed
[*09/12/2024 11:39:31.9055] bwar: [7649:I:CN_ML]
Or more if there is another ] in the message.
The expression you are looking for is
subst( '^\[\*\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}\.\d+\]\s', '', type(pcre), value("MESSAGE"));
--
Evan
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Wilson, Jonathan L <jonathan.wilson at vumc.org>
Sent: September 12, 2024 4:49 AM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] rewrite in syslog-ng
You don't often get email from jonathan.wilson at vumc.org. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Running OSE version 3.38.1 and having difficulty with a rewrite rule.
The logs that I’m trying to modify look like:
2024-09-12T06:39:31-05:00 hostname kernel: [*09/12/2024 11:39:31.9055] bwar: [7649:I:CN_ML] …
What I am trying to do is remove the extra timestamp in square brackets (the first field in square brackets above.)
My rewrite rule looks like:
rewrite r_bracketed_ts {
subst( '^[.+]\s', '', type(pcre), value("MESSAGE"));
};
It is invoked from this log statement:
log {
source(s_BSD_UDP_514);
filter(f_something);
rewrite(r_bracketed_ts);
destination(d_something);
flags(final,flow-control);
};
The problem is that the rewrite appears to do nothing; log entries come out unmodified. Am I missing something?
Thank you –
Jon Wilson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240912/8d9f9e07/attachment.htm>
More information about the syslog-ng
mailing list