[rsyslog] Substract string from message

Rainer Gerhards rgerhards at hq.adiscon.com
Tue Jan 15 11:11:26 CET 2013



> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Xavier Fustero
> Sent: Tuesday, January 15, 2013 11:06 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Substract string from message
> 
> Hi Rainer,Radu,
> 
> thanks for your answer. I really appreciate both.
> 
> The mmjsonparse example looks very interesting but after Rainer email I am
> afraid about performance impact. We have several rsyslog servers on the
> cloud and some are pretty busy.

If what Radu posted fits your need, performance is not too much affected. I thought you wanted to actually remove a part of the message. That would required setting and modifying a number of local variables, which would be performance intense.

Rainer
> 
> Anyway, thanks a lot for your answers. I will let manager decide on which
> direction should we move.
> 
> Kind regards,
> Xavi
> 
> On 15 January 2013 10:55, Radu Gheorghe <radu0gheorghe at gmail.com>
> wrote:
> 
> > Hi Xavier,
> >
> > 2013/1/15 Xavier Fustero <xfustero at gmail.com>
> >
> > > Hi Radu,
> > >
> > > thanks for replying.
> > >
> > > Option 1 doesn't suitable for me as the strings will have different
> > length.
> > >
> > > Regarding option 2 (regular expressions) I tested it and I could use
> > > it
> > to
> > > create dynamic files like I am doing currently using msg:F,58:1.
> > However, I
> > > can't see how to use it to remove *mydirectory* string from the
> > > original message sent by my clients and write this modified message
> > > to the log
> > file.
> > >
> > > Option 3 I should upgrade my current rsyslog version. It is planned
> > > in
> > very
> > > close future sprints. Looked at it quickly but not sure 100% if it
> > enables
> > > me to do this.
> > >
> > > I have read that version 7 offers structured logs. Does anyone know
> > > if
> > this
> > > enables you to remove some pieces of the original message like the
> > > one I want to? If so, is there any good example?
> > >
> >
> > Yes, so from the "sender" machine, you can make your output template
> > write something like this for %message%:
> >
> > @cee: {"directory": "mydirectory1", "actual_message": "this is a test
> > message"}
> >
> > Then on the "receiver" machine, with rsyslog 7 you can use mmjsonparse
> > to parse this JSON and use the fields in templates. Here's a good resource:
> > http://www.rsyslog.com/receiving-cee-enhanced-syslog-in-rsyslog/
> >
> > So once you parse the logs, with the example above you can use the
> > variables %$!directory% and %$!actual_message% in your templates. If
> > you need to output all the JSON (without the @cee: cookie), use %$!all-
> json%.
> >
> >
> > >
> > > Thanks a log,
> > >
> >
> > Nice wordplay :) You're welcome :)
> >
> > Best regards,
> > Radu
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


More information about the rsyslog mailing list