You can unset macros or fields of the message, including any user-defined macros created using parsers (for details, see parser: Parse and segment structured messages and db-parser: Process message content with a pattern database (patterndb)). Note that the unset operation completely deletes any previous value of the field that you apply it on.
NOTE: Hard macros cannot be modified. For details on the hard and soft macros, see Hard versus soft macros).
Use the following syntax:
rewrite <name_of_the_rule> {
unset(value("<field-name>"));
};The following example unsets the HOST field of the message.
rewrite r_rewrite_unset{
unset(value("HOST"));
};To unset a group of fields, you can use the groupunset() rewrite rule.
rewrite <name_of_the_rule> {
groupunset(values("<expression-for-field-names>"));
};The following rule clears all SDATA fields:
rewrite r_rewrite_unset_SDATA{
groupunset(values(".SDATA.*"));
};If you use RFC5424-formatted (IETF-syslog) messages, you can also create custom fields in the SDATA part of the message (For details on the SDATA message part, see The STRUCTURED-DATA message part). According to RFC5424, the name of the field (its SD-ID) must not contain the @ character for reserved SD-IDs. Custom SDATA fields must be in the following format: .SDATA.group-name@<private enterprise number>.field-name, for example, .SDATA.mySDATA-field-group@18372.4.mySDATA-field. (18372.4 is the private enterprise number of One Identity LLC, the developer of syslog-ng OSE.)
The following example sets the sequence ID field of the RFC5424-formatted (IETF-syslog) messages to a fixed value. This field is a predefined SDATA field with a reserved SD-ID, therefore its name does not contain the @ character.
rewrite r_sd {
set("55555" value(".SDATA.meta.sequenceId"));
};
It is also possible to set the value of a field that does not exist yet, and create a new, custom name-value pair that is associated with the message. The following example creates the .SDATA.groupID.fieldID@18372.4 field and sets its value to yes. If you use the ${.SDATA.groupID.fieldID@18372.4} macro in a template or SQL table, its value will be yes for every message that was processed with this rewrite rule, and empty for every other message.
The next example creates a new SDATA field-group and field called custom and sourceip, respectively:
rewrite r_rewrite_set {
set("${SOURCEIP}" value(".SDATA.custom@18372.4.sourceip"));
};
If you use the ${.SDATA.custom@18372.4.sourceip} macro in a template or SQL table, its value will be that of the SOURCEIP macro (as seen on the machine where the SDATA field was created) for every message that was processed with this rewrite rule, and empty for every other message.
You can verify whether or not the format is correct by looking at the actual network traffic. The SDATA field-group will be called custom@18372.4, and sourceip will become a field within that group. If you decide to set up several fields, they will be listed in consecutive order within the field-group's SDATA block.
The groupset() rewrite rule allows you to modify the value of multiple message fields at once, for example, to change the value of sensitive fields extracted using patterndb, or received in a JSON format. (If you want to modify the names of message fields, see map-value-pairs: Rename value-pairs to normalize logs.)
The first parameter is the new value of the modified fields. This can be a simple string, a macro, or a template (which can include template functions as well).
The second parameter (values()) specifies the fields to modify. You can explicitly list the macros or fields (a space-separated list with the values enclosed in double-quotes), or use wildcards and glob expressions to select multiple fields.
Note that groupset() does not create new fields, it only modifies existing fields.
You can refer to the old value of the field using the $_ macro. This is resolved to the value of the current field, and is available only in groupset() rules.
rewrite <name_of_the_rule> {
groupset("<new-value-of-the-fields>", values("<field-name-or-glob>" ["<another-field-name-or-glob>"]));
};The following examples show how to change the values of multiple fields at the same time.
Change the value of the HOST field to myhost.
groupset ("myhost" values("HOST"))
Change the value of the HOST and FULLHOST fields to myhost.
groupset ("myhost" values("HOST" "FULLHOST"))
Change the value of the HOST FULLHOST and fields to lowercase.
groupset ("$(lowercase "$_")" values("HOST" "FULLHOST"))
Change the value of each field and macro that begins with .USER to nobody.
groupset ("nobody" values(".USER.*"))
Change the value of each field and macro that begins with .USER to its SHA-1 hash (truncated to 6 characters).
groupset ("$(sha1 --length 6 $_)" values(".USER.*"))The map-value-pairs() parser allows you to map existing name-value pairs to a different set of name-value pairs. You can rename them in bulk, making it easy to use for log normalization tasks (for example, when you parse information from different log messages, and want to convert them into a uniform naming scheme). You can use the normal value-pairs expressions, similarly to value-pairs based destinations.
Available in syslog-ng OSE version
parser parser_name {
map-value-pairs(
<list-of-value-pairs-options>
);
};The following example creates a new name-value pair called username, adds the hashed value of the .apache.username to this new name-value pair, then adds the webserver prefix to the name of every name-value pair of the message that starts with .apache
parser p_remap_name_values {
map-value-pairs(
pair("username", "'($sha1 $.apache.username)")
key('.apache.*' rekey(add-prefix("webserver")))
);
};© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center