[rsyslog] about "Property Replacer"!!
Rainer Gerhards
rgerhards at hq.adiscon.com
Wed May 13 12:43:10 CEST 2009
Hi,
let me explain. You tell rsyslog to use ASCII-SP " ", code 32, as a
delimiter. Now looking at the message, it starts with a space (almost all
RFC3164-messages do because of the definitions in RFC3164). So field 1 is an
empty field, and field 2 is what you actually get. It is delimited by another
space.
Hope this helps,
Rainer
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of liangjun
> Sent: Wednesday, May 13, 2009 12:24 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] about "Property Replacer"!!
>
> hello!
> about The Property Replacer i have some problem:
> *extraction can be done based on so-called "fields",*
> this is a example about fields!
> %msg% is " DROP_url_www.sina.com.cn:IN=eth1 OUT=eth0 SRC=192.168.10.78
> DST=61.172.201.194 LEN=1182 TOS=0x00 PREC=0x00 TTL=63 ID=14368 DF
> PROTO=TCP SPT=33343 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0"
> %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
> "DROP_url_www.sina.com.cn:IN=eth1" ,so why?
> and i do some another test .and the fields always is 20 characters!
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
More information about the rsyslog
mailing list