[rsyslog-notify] Forum Thread: Re: Find and Replace in syslog message - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Mar 14 10:53:21 CET 2017
User: PascalWithopf
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27190#p27190
Message:
----------
Hello Dave,
You can use mmnormalize to get the message you need.
all you need to do is load the module and use it on the message before the
output action.
A config could look like this.
[code:2ufqgoot]
module(load="imtcp")
module(load="mmnormalize")
input(type="imtcp" port="13514" ruleset="ruleset1")
template(name="template" type="string" string="<%pri%> %timestamp%
%hostname% %$!umsg%\n")
ruleset(name="ruleset1") {
action(type="mmnormalize" useRawMsg="on"
rulebase="/tmp/rules.rulebase")
action(type="omfile" template="template" file="outputFile")
}
[/code:2ufqgoot]
A rulebase you can use looks like this.
[code:2ufqgoot]
rule=:[%f1:char-to:]%][%f2:char-to:]%][%f3:char-to:]%][%f4:char-to:]%][%f5:char-to:]%]
%umsg:rest%
[/code:2ufqgoot]
With this rulebase you have the brackets available as variables and the
rest of the message as one variable.
If you use the variable in the template of the output as shown in the
config above, you will get your result.
Best Regards
Pascal Withopf
More information about the rsyslog-notify
mailing list