syslog-ng how to get the content of the logs and rewrite to header

Question

the requirement is to extract the ip address inside the raw log and put in the syslog header. tried different way but not able to work, any idea? I've tried use regex but seems $1 $2 not working after i put the flag

Welcome to Server Fault! What have you tried? What did you expect to happen? What happened instead? What does your config look like? Do you have any log entries from the times it didn't work as expected? — Jenny D, May 31 '17 at 11:31

score 0 · Answer 1 · answered May 25 '17 at 10:46

what kind of log message is it? In recent versions there are lots of different possibilities to parse message content with syslog-ng, for example, JSON, key=value lists, CSV, and so on.

If you only want to use regular expressions, try using a conditional rewrite rule, and set the flags("store-matches") option in the condition. Something like:

rewrite r_rewrite_set{set("<something-referencing-the-match>", value("HOST") condition(message("<regexp-to-find-IP>" flags("store-matches")));};

syslog-ng how to get the content of the logs and rewrite to header

1 Answers1