To set a field of the message to a specific value, you have to:
define the string to include in the message, and
select the field where it should be included.
You can set the value of available macros, for example, HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (for details, see parser: Parse and segment structured messages and db-parser: Process message content with a pattern database (patterndb)). Note that the rewrite operation completely replaces any previous value of that field.
Hard macros cannot be modified. For details on the hard and soft macros, see Hard versus soft macros).
Use the following syntax:
rewrite <name_of_the_rule> {
    set("<string to include>", value(<field name>));
};The following example sets the HOST field of the message to myhost.
rewrite r_rewrite_set{
    set("myhost", value("HOST"));
};
The following example appends the "suffix" string to the MESSAGE field:
rewrite r_rewrite_set{
    set("$MESSAGE suffix", value("MESSAGE"));
};
For details on rewriting SDATA fields, see Creating custom SDATA fields.
You can also use the following options in rewrite rules that use the set() operator.
rewrite <name_of_the_rule> {
    set("<string to include>", value(<field name>), on-error("fallback-to-string");
};
NOTE: The severity and facility fields can only be set by the set-severity() rewrite functions.
For more information, see Setting severity with the set-severity() rewrite function.
It is possible to configure the severity field with the set-severity() rewrite function. When configured, the set-severity() rewrite function will only rewrite the $SEVERITY field in the message to the first parameter value specified in the function.
NOTE: If the parameter value is not a valid parameter value, the function ignores it and sends a debug message, but the syslog-ng Open Source Edition (syslog-ng OSE) application still sends the message.
rewrite <name_of_the_rule> {
    set-severity("severity string or number");
};The set-severity() rewrite function has a single, mandatory parameter that can be defined as follows:
set-severity( "parameter1" );The set-severity() rewrite function accepts the following values:
The following examples can be used in production for the set-severity() rewrite function.
Example using string:
rewrite {
    set-severity("info");
};
Example using numeric string:
rewrite {
    set-severity("6");
};
Example using template:
rewrite {
    set-severity("${.json.severity}");
};You can unset macros or fields of the message, including any user-defined macros created using parsers (for details, see parser: Parse and segment structured messages and db-parser: Process message content with a pattern database (patterndb)). Note that the unset operation completely deletes any previous value of the field that you apply it on.
Hard macros cannot be modified. For details on the hard and soft macros, see Hard versus soft macros).
Use the following syntax:
rewrite <name_of_the_rule> {
    unset(value("<field-name>"));
};The following example unsets the HOST field of the message.
rewrite r_rewrite_unset{
    unset(value("HOST"));
};To unset a group of fields, you can use the groupunset() rewrite rule.
rewrite <name_of_the_rule> {
    groupunset(values("<expression-for-field-names>"));
};The following rule clears all SDATA fields:
rewrite r_rewrite_unset_SDATA{
    groupunset(values(".SDATA.*"));
};If you use RFC5424-formatted (IETF-syslog) messages, you can also create custom fields in the SDATA part of the message (For details on the SDATA message part, see The STRUCTURED-DATA message part). According to RFC5424, the name of the field (its SD-ID) must not contain the @ character for reserved SD-IDs. Custom SDATA fields must be in the following format: .SDATA.group-name@<private enterprise number>.field-name, for example, .SDATA.mySDATA-field-group@18372.4.mySDATA-field. (18372.4 is the private enterprise number of One Identity LLC, the developer of syslog-ng OSE.)
The following example sets the sequence ID field of the RFC5424-formatted (IETF-syslog) messages to a fixed value. This field is a predefined SDATA field with a reserved SD-ID, therefore its name does not contain the @ character.
rewrite r_sd {
    set("55555" value(".SDATA.meta.sequenceId"));
};
It is also possible to set the value of a field that does not exist yet, and create a new, custom name-value pair that is associated with the message. The following example creates the .SDATA.groupID.fieldID@18372.4 field and sets its value to yes. If you use the ${.SDATA.groupID.fieldID@18372.4} macro in a template or SQL table, its value will be yes for every message that was processed with this rewrite rule, and empty for every other message.
The next example creates a new SDATA field-group and field called custom and sourceip, respectively:
rewrite r_rewrite_set {
    set("${SOURCEIP}" value(".SDATA.custom@18372.4.sourceip"));
};
If you use the ${.SDATA.custom@18372.4.sourceip} macro in a template or SQL table, its value will be that of the SOURCEIP macro (as seen on the machine where the SDATA field was created) for every message that was processed with this rewrite rule, and empty for every other message.
You can verify whether or not the format is correct by looking at the actual network traffic. The SDATA field-group will be called custom@18372.4, and sourceip will become a field within that group. If you decide to set up several fields, they will be listed in consecutive order within the field-group's SDATA block.
© ALL RIGHTS RESERVED. 利用規約 プライバシー Cookies Preference Center