[rsyslog] about "Property Replacer"!!
liangjun
liangjun at osslab.org
Wed May 13 13:08:55 CEST 2009
thank you reply!
yes., you are right.
but %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
"DROP_url_www.sina.com.cn:IN=eth1" . why?
> Hi,
>
> let me explain. You tell rsyslog to use ASCII-SP " ", code 32, as a
> delimiter. Now looking at the message, it starts with a space (almost all
> RFC3164-messages do because of the definitions in RFC3164). So field 1 is an
> empty field, and field 2 is what you actually get. It is delimited by another
> space.
>
> Hope this helps,
> Rainer
>
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of liangjun
>> Sent: Wednesday, May 13, 2009 12:24 PM
>> To: rsyslog at lists.adiscon.com
>> Subject: [rsyslog] about "Property Replacer"!!
>>
>> hello!
>> about The Property Replacer i have some problem:
>> *extraction can be done based on so-called "fields",*
>> this is a example about fields!
>> %msg% is " DROP_url_www.sina.com.cn:IN=eth1 OUT=eth0 SRC=192.168.10.78
>> DST=61.172.201.194 LEN=1182 TOS=0x00 PREC=0x00 TTL=63 ID=14368 DF
>> PROTO=TCP SPT=33343 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0"
>> %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
>> "DROP_url_www.sina.com.cn:IN=eth1" ,so why?
>> and i do some another test .and the fields always is 20 characters!
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
More information about the rsyslog
mailing list