On Tue, 2 Jun 2009, Sayan Chowdhury wrote: > Hello David, > Thanks for replying. > > I think I should have made my template clearer as well ... > Actually these mac/ip addresses appear in the message portion. with > different kind of logging message that the system generates > so my rule should work for for a message like this as well > > > May 25 08:41:13. 00145e178cc8[12703]: 4|172|CORE| IP 10.0.0.87 assigned to > device DEVICE_0 > should become something like > > > May 25 08:41:13. [HIDDEN MAC][12703]: 4|172|CORE| IP [HIDDEN IP] assigned to > device DEVICE_0 > > > also, the other requirement I have is to change the facility Id in the > outgoing syslog message.
there are few enough facility Ids that you can put them into the template > That's when I thought about a search and replace functionality with the > property replacer ... > Not sure whether it is possible though, so far I have been able to write > property replacers which can drop line feed, or replace / with an _ but not > something like this. I haven't seen any ability to do arbatrary search-and-replace in rsyslog. David Lang > Regards, > Sayan > > > On Tue, Jun 2, 2009 at 5:50 PM, <[email protected]> wrote: > >> On Tue, 2 Jun 2009, Sayan Chowdhury wrote: >> >>> Hello All, >>> >>> This is my first post to this group, apologize if the question seems >> naive. >>> >>> I am trying to change strings within the syslog message before forwarding >> it >>> to an external log server. For example, if my regular expression matches >> an >>> mac or an IP address present within the message, I want to replace it >> with a >>> string like this "<hidden ip>" >>> Another requirement is before forwarding the log to the external server, >> I >>> have to change the facility to a different number (say from local0 to >>> local7) >>> >>> The approach I was taking is defining a template with the regular >> expression >>> in it, checking for the pattern and then replacing the mac/ip address. >>> >>> However, I think this kind of pattern replacement is not supported with >> the >>> property replacer. >>> Is that correct? >>> >>> I am using rsyslog version 3.21 to try this out and here is an example of >>> what I am trying to do >>> >>> A sample log message >>> >>> May 25 08:41:13. 00145e178cc8[12703]: 4|172|CORE|All elements Connected >>> >>> I need to change it to >>> >>> May 25 08:41:13. [Hidden MAC][12703]: 4|172|CORE|All elements Connected >>> >>> >>> Before it gets forwarded to the external machine. >> >> in this case I believe that the MAC would show up in the programname (and >> syslog tag) fields. >> >> so instead of the default format which looks something like >> %timestamp% %hostname% %syslogtag%%msg% >> >> you would do something like >> %timestamp% %hostname% [Hidden MAC]%msg% >> >> and setup the conditions so that if it matches your condition it sends it >> out with the second format, but if it doesn't it uses the first. >> >> this isn't the search-and-replace functionality you were thinking of, but >> I think it will do the basic job (although the example I gave doesn't >> include the PID portion of the syslog tag, doing a substring on the syslog >> tag would let you add that back in if needed) >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
