1

When I write my logs without adding my substitution I am able to write just fine however since I am building upon a central logging server I need to add the host name from the source log to the existing message that is being processed. I intend of having the substitution be something to this effect.

- - [

with

$HOST [

Where $HOST is the universal macro for a hostname.

When I run the following removes my entire line when I run the substitution. Does anyone have any idea what I am doing wrong with my regex? The docs said that I needed to use [ within single quotes to make this special character a literal.

rewrite r_addhostname{
  subst('- - \[', '$HOST \[', value("MESSAGE"));
};

Thanks in advance, Cole

Cole Shores
  • 319
  • 1
  • 3
  • 14
  • Have you tried using the "keep-hostname" option in your destination? – Tom Damon Jan 29 '14 at 18:24
  • I haven't however I simply added $HOST to my template to accomplish something similar. Then theoretically parse against that after it is pulled from a key->store system like redis. I may take a different route anyways. Just dump it to a UDP port and directly off of UDP on a different logstash machine. – Cole Shores Jan 29 '14 at 23:57
  • We have set up Intel Nuc boxes in client offices to collect syslog messages from LAN devices and forward them to a cloud server through a TLS tunnel. In the /etc/syslog-ng/conf.d folder, I'll create a tls.conf file with "keep-hostname();" in the 'destination d_tls' line, and it works like a champ. – Tom Damon Jan 30 '14 at 14:51

0 Answers0