[rsyslog-notify] Forum Thread: Re: Find and Replace in syslog message - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Tue Mar 14 10:53:21 CET 2017


User: PascalWithopf 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27190#p27190

Message: 
----------
Hello Dave,

You can use mmnormalize to get the message you need.

all you need to do is load the module and use it on the message before the
output action.
A config could look like this.
[code:2ufqgoot]
module(load="imtcp")
module(load="mmnormalize")
input(type="imtcp" port="13514" ruleset="ruleset1")

template(name="template" type="string" string="<%pri%> %timestamp%
%hostname% %$!umsg%\n")

ruleset(name="ruleset1") {
	action(type="mmnormalize" useRawMsg="on"
rulebase="/tmp/rules.rulebase")
	action(type="omfile" template="template" file="outputFile")
}
[/code:2ufqgoot]

A rulebase you can use looks like this.
[code:2ufqgoot]

rule=:[%f1:char-to:]%][%f2:char-to:]%][%f3:char-to:]%][%f4:char-to:]%][%f5:char-to:]%]
%umsg:rest%
[/code:2ufqgoot]

With this rulebase you have the brackets available as variables and the
rest of the message as one variable.

If you use the variable in the template of the output as shown in the
config above, you will get your result.

Best Regards
Pascal Withopf


More information about the rsyslog-notify mailing list