The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

8.7. Rewriting messages

The syslog-ng application can rewrite parts of log messages: it can search and replace text, and also set a specific field to a specified value. Rewriting messages is often used in conjunction with message parsing Section 8.6, “Message parsers”.

To create replace a part of the log message, define the string or regular expression to replace, the string to replace the original text (macros can be used as well), and the field of the message that the rewrite rule should process. Substitution rules can operate on any value available via macros, e.g., HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (see Section 8.6, “Message parsers” for details).

As of syslog-ng 3.1, it is also possible to rewrite the structured-data fields of messages complying to the RFC5424 (IETF-syslog) message format. Substitution rules use the following syntax:

Declaration:
    rewrite <name_of_the_rule>
    {subst("<string or regular expression to find>", "<replacement string>", value(<field name>) type() flags());};

The type() and flags() options are optional. The type() specifies the type of regular expression to use; while the flags() are the flags of the regular expressions (see Section 8.8, “Regular expressions” for details):

Name Description
posix Use POSIX regular expressions. If the type() parameter is not specified, syslog-ng uses POSIX regular expressions by default.
pcre Use PCRE regular expressions. This is available only if syslog-ng was compiled with the --enable-pcre option. Execute the syslog-ng -V command to list the options supported by your binary. PCRE support is currently disabled in syslog-ng Premium Edition.
string Match the strings literally, without regular expression support. By default, only identical strings are matched. For partial matches, use the flags("prefix") or the flags("substring") flags.

Table 8.22. Rewrite rule types


[Example] Example 8.37. Using substitution rules

The following example replaces the first occurrence of the string IP in the text of the message with the string IP-Address.

rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE"));};

To replace every occurrence, use:

rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE"), flags("global"));};

Multiple substitution rules are applied sequentially; the following rules replace the first occurrence of the string IP with the string IP-Addresses. 

rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE")); subst("Address", "Addresses", value("MESSAGE"));};

To set a field of the message to a specific value, define the string to include in the message, and the field where it should be included. Setting a field can operate on any value available via macros, e.g., HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (see Section 8.6, “Message parsers” for details.). Note that this operation completely replaces any previous value of that field. Use the following syntax:

Declaration:
    rewrite <name_of_the_rule>
    {set("<string to include>", value(<field name>)  flags());};
[Example] Example 8.38. Setting message fields to a particular value

The following example sets the HOST field of the message to myhost. 

rewrite r_rewrite_set{set("myhost", value("HOST"));};

The following example sets the sequence ID field of the RFC5424-formatted (IETF-syslog) messages to a fixed value.

rewrite r_sd { set("55555" value(".SDATA.meta.sequenceId")); };
Prev  Up  Next
8.6.2. Pattern databases  Home | Contents  8.8. Regular expressions

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com