[rsyslog] Substract string from message

Radu Gheorghe radu0gheorghe at gmail.com
Tue Jan 15 10:55:46 CET 2013

Hi Xavier,

2013/1/15 Xavier Fustero <xfustero at gmail.com>

> Hi Radu,
> thanks for replying.
> Option 1 doesn't suitable for me as the strings will have different length.
> Regarding option 2 (regular expressions) I tested it and I could use it to
> create dynamic files like I am doing currently using msg:F,58:1. However, I
> can't see how to use it to remove *mydirectory* string from the original
> message sent by my clients and write this modified message to the log file.
> Option 3 I should upgrade my current rsyslog version. It is planned in very
> close future sprints. Looked at it quickly but not sure 100% if it enables
> me to do this.
> I have read that version 7 offers structured logs. Does anyone know if this
> enables you to remove some pieces of the original message like the one I
> want to? If so, is there any good example?

Yes, so from the "sender" machine, you can make your output template write
something like this for %message%:

@cee: {"directory": "mydirectory1", "actual_message": "this is a test

Then on the "receiver" machine, with rsyslog 7 you can use mmjsonparse to
parse this JSON and use the fields in templates. Here's a good resource:

So once you parse the logs, with the example above you can use the
variables %$!directory% and %$!actual_message% in your templates. If you
need to output all the JSON (without the @cee: cookie), use %$!all-json%.

> Thanks a log,

Nice wordplay :) You're welcome :)

Best regards,

More information about the rsyslog mailing list