Is it possible for a parser to just modify the input string and then let
it fall through for another parser to handle the modified string?
I have two rather simple parsers I want to write that fall in this
category
1. Cisco with name resolution
A cisco without name resolution turned on logs
<pri> timestamp IPaddr %tag msg
a cisco with name resolution turned on logs
<pri> timestamp name : %tag msg
I want to detect the bare : in the syslog field followed by the % at the
start of the next tag, and if I find them, just memmove everything up (so
that the % ends up where the : was, shortening the string by two
characters), then let if fall through for normal processing.
2. AIX forwarding messages
AIX defaults to messages in the format
<pri> timestamp Message Forwarded From hostname syslogtag msg
I want to look for 'Message Forwarded From' starting in the hostname
field, and if I find them, memmove everything up so that the hostname is
in the right place, and again let everything fall through to the normal
parser for handling.
I really don't want to have to duplicate the normal parser in each of
these parsers as they are just (almost) trivial cleanups of the log
message before it's handled normally.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
