[rsyslog-notify] Forum Thread: Property Replacer %fromhost-ip% - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Wed Aug 3 15:36:44 CEST 2016
User: Thijn
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26848#p26848
Message:
----------
Hi,
I am trying to change the IP address %fromhost-ip% of incoming log
messages.
All logs are from switches, the problem is with these switches that they
have the wrong address as the ip address (fromhost-ip).
We manage these switches on another address. e.g 10.0.0.X
We receive logs and this is what they look like.
2016-08-03 15:30:17.051, 10.3.201.101, local7.info, 15:30:09] SSH INFO bad
pkalg ssh-rsa
I want the ip address prefix 10.3.201.1 replaced with 10.0.0.
10.0.0 is the prefix we manage these switches
The flter we currently use:
$template CustomFormat,"%timegenerated:1:10:date-rfc3339%
%timegenerated:12:23:date-rfc3339%, %fromhost-ip%,
%syslogfacility-text%.%syslogseverity-text%, %msg%\n"
$template SendToHost,"/var/log/hosts/catch_all/catchall.syslog.log"
if $fromhost-ip != '127.0.0.1' then ?SendToHost2;CustomFormat
now i tried many things within the template but nothing seems to work.
%fromhost-ip:10.3.201.114:1.2.3.4%
%fromhost-ip:"10.3.201.114":"1.2.3.4"%
%fromhost-ip:R,BRE,0,FIELD:10.3.201.114:1.2.3.4%
As you see we already successfully inject fields into the log message, but
for some reason fromhost-ip is a stubborn one.
Maybe i'm going about it the wrong way.. anybody any experience with this?
Thank you in advance.
More information about the rsyslog-notify
mailing list