wow! %msg:F,32:2% works! i completely misunderstood how Fielf works...i thought the first number was the FromChar and second the ToChar... Thanks a lot!!!
2008/3/20, Rainer Gerhards <[EMAIL PROTECTED]>: > Should work with fields (much faster). I can't try it out due to relp > work, but try: > > %msg:F,32:2% [32 is USASCII SP, the delimiter here] > > But maybe %msg:F,32:1% - you need to experiment a bit. In any case, that > should work... > > > Rainer > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:rsyslog- > > [EMAIL PROTECTED] On Behalf Of Maurizio Rottin > > > Sent: Thursday, March 20, 2008 3:59 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] rsyslog with apache and per vhost log > > > > yes! but actually there is a space at the beginning and hostname can > > contain the dash -, numbers, and letters. > > > > 2008/3/20, Rainer Gerhards <[EMAIL PROTECTED]>: > > > Let me try to avoid the regexp (its expensive and I can not debug it > > now > > > ;)): so you search for the string that is at the start of the msg > > and > > > delimited by the first space? > > > > > > > > > > > > Rainer > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:rsyslog- > > > > [EMAIL PROTECTED] On Behalf Of Maurizio Rottin > > > > > > > Sent: Thursday, March 20, 2008 3:47 PM > > > > To: rsyslog-users > > > > Subject: Re: [rsyslog] rsyslog with apache and per vhost log > > > > > > > > > > > 2008/3/20, Rainer Gerhards <[EMAIL PROTECTED]>: > > > > > Can you send me a handful of the logline to play with? Probably > > not > > > > this > > > > > week, but next... > > > > > > > > > > > > > www.mysite.com 192.168.242.2 [20/Mar/2008:15:41:10 +0100] "GET > > > > /images/wm001.jpg HTTP/1.1" 304 - > > "http://www.mysite.com/webmail.htm"; > > > > "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) > > Gecko/20060607" > > > > > > > > i'm trying to use the regexp but with no success in this way: > > > > $template MsgFormat,"%msg%\n" > > > > $template ApacheRemoteCustom,"/var/log/apachelog/%msg:R:^\ > > > > [a-z,\.]*--end%_az.log" > > > > local6.info -?ApacheRemoteCustom;MsgFormat > > > > > > > > from the documentation: "the property replacer will return the > > part of > > > > the property text that matches the regular expression" which > > should be > > > > " www.mysite.com" > > > > but i get a file named _az.log > > > > > > > > -- > > > > mr > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > -- > > mr > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > -- mr _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
