Hello David, Thanks for replying. I think I should have made my template clearer as well ... Actually these mac/ip addresses appear in the message portion. with different kind of logging message that the system generates so my rule should work for for a message like this as well
May 25 08:41:13. 00145e178cc8[12703]: 4|172|CORE| IP 10.0.0.87 assigned to device DEVICE_0 should become something like May 25 08:41:13. [HIDDEN MAC][12703]: 4|172|CORE| IP [HIDDEN IP] assigned to device DEVICE_0 also, the other requirement I have is to change the facility Id in the outgoing syslog message. That's when I thought about a search and replace functionality with the property replacer ... Not sure whether it is possible though, so far I have been able to write property replacers which can drop line feed, or replace / with an _ but not something like this. Regards, Sayan On Tue, Jun 2, 2009 at 5:50 PM, <[email protected]> wrote: > On Tue, 2 Jun 2009, Sayan Chowdhury wrote: > > > Hello All, > > > > This is my first post to this group, apologize if the question seems > naive. > > > > I am trying to change strings within the syslog message before forwarding > it > > to an external log server. For example, if my regular expression matches > an > > mac or an IP address present within the message, I want to replace it > with a > > string like this "<hidden ip>" > > Another requirement is before forwarding the log to the external server, > I > > have to change the facility to a different number (say from local0 to > > local7) > > > > The approach I was taking is defining a template with the regular > expression > > in it, checking for the pattern and then replacing the mac/ip address. > > > > However, I think this kind of pattern replacement is not supported with > the > > property replacer. > > Is that correct? > > > > I am using rsyslog version 3.21 to try this out and here is an example of > > what I am trying to do > > > > A sample log message > > > > May 25 08:41:13. 00145e178cc8[12703]: 4|172|CORE|All elements Connected > > > > I need to change it to > > > > May 25 08:41:13. [Hidden MAC][12703]: 4|172|CORE|All elements Connected > > > > > > Before it gets forwarded to the external machine. > > in this case I believe that the MAC would show up in the programname (and > syslog tag) fields. > > so instead of the default format which looks something like > %timestamp% %hostname% %syslogtag%%msg% > > you would do something like > %timestamp% %hostname% [Hidden MAC]%msg% > > and setup the conditions so that if it matches your condition it sends it > out with the second format, but if it doesn't it uses the first. > > this isn't the search-and-replace functionality you were thinking of, but > I think it will do the basic job (although the example I gave doesn't > include the PID portion of the syslog tag, doing a substring on the syslog > tag would let you add that back in if needed) > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
