[rsyslog] Substract string from message

Radu Gheorghe radu0gheorghe at gmail.com
Tue Jan 15 10:55:46 CET 2013


Hi Xavier,

2013/1/15 Xavier Fustero <xfustero at gmail.com>

> Hi Radu,
>
> thanks for replying.
>
> Option 1 doesn't suitable for me as the strings will have different length.
>
> Regarding option 2 (regular expressions) I tested it and I could use it to
> create dynamic files like I am doing currently using msg:F,58:1. However, I
> can't see how to use it to remove *mydirectory* string from the original
> message sent by my clients and write this modified message to the log file.
>
> Option 3 I should upgrade my current rsyslog version. It is planned in very
> close future sprints. Looked at it quickly but not sure 100% if it enables
> me to do this.
>
> I have read that version 7 offers structured logs. Does anyone know if this
> enables you to remove some pieces of the original message like the one I
> want to? If so, is there any good example?
>

Yes, so from the "sender" machine, you can make your output template write
something like this for %message%:

@cee: {"directory": "mydirectory1", "actual_message": "this is a test
message"}

Then on the "receiver" machine, with rsyslog 7 you can use mmjsonparse to
parse this JSON and use the fields in templates. Here's a good resource:
http://www.rsyslog.com/receiving-cee-enhanced-syslog-in-rsyslog/

So once you parse the logs, with the example above you can use the
variables %$!directory% and %$!actual_message% in your templates. If you
need to output all the JSON (without the @cee: cookie), use %$!all-json%.


>
> Thanks a log,
>

Nice wordplay :) You're welcome :)

Best regards,
Radu


More information about the rsyslog mailing list