On Tue, 2 Jun 2009, Sayan Chowdhury wrote: > Hello All, > > This is my first post to this group, apologize if the question seems naive. > > I am trying to change strings within the syslog message before forwarding it > to an external log server. For example, if my regular expression matches an > mac or an IP address present within the message, I want to replace it with a > string like this "<hidden ip>" > Another requirement is before forwarding the log to the external server, I > have to change the facility to a different number (say from local0 to > local7) > > The approach I was taking is defining a template with the regular expression > in it, checking for the pattern and then replacing the mac/ip address. > > However, I think this kind of pattern replacement is not supported with the > property replacer. > Is that correct? > > I am using rsyslog version 3.21 to try this out and here is an example of > what I am trying to do > > A sample log message > > May 25 08:41:13. 00145e178cc8[12703]: 4|172|CORE|All elements Connected > > I need to change it to > > May 25 08:41:13. [Hidden MAC][12703]: 4|172|CORE|All elements Connected > > > Before it gets forwarded to the external machine.
in this case I believe that the MAC would show up in the programname (and syslog tag) fields. so instead of the default format which looks something like %timestamp% %hostname% %syslogtag%%msg% you would do something like %timestamp% %hostname% [Hidden MAC]%msg% and setup the conditions so that if it matches your condition it sends it out with the second format, but if it doesn't it uses the first. this isn't the search-and-replace functionality you were thinking of, but I think it will do the basic job (although the example I gave doesn't include the PID portion of the syslog tag, doing a substring on the syslog tag would let you add that back in if needed) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
