Re: [Echelog-devel] Rewriting rules

[Kamil T. <kt...@em...>]

On St, 2003-02-19 at 00:54, Benoit DOLEZ wrote:
> Hello again,
> 
> I'm looking for doing stat on logged data like iptables log and maillog.
> I want to execute these actions:
> RemoteHost : getlog(/var/log/messages) -> Sender(Hub)
> Hub : receiver(RemoteHost) -> Filter -l001->
>          -> Rewriter(MailMessages) -> binstor/rrdtool
> 
> The Rewrite module can transform a messagetype in an other messagetype
> after doing some conversions on VARCHAR.
> 
> sample:
> --------------------------------------------------------------------
> Filter is:
> LINE~"^(... [0-9]+ [0-9:]{8}) .*: ([^:]+): from=<?([^,])>?, 
> size=([0-9]+), relay=(.*)$",DATE=\1,SPOOL=\2,MAILFROM=\3,SIZE=\4,RELAY=\5
> --------------------------------------------------------------------
> For log as:
> Feb 17 12:22:18 local@server1 sendmail[15624]: h1HBMIVd015624: 
> from=<bd...@so...>, size=945, class=0, nrcpts=1, 
> msgid=<3E5...@so...>, proto=ESMTP, daemon=MTA, 
> relay=relay1.societe.local [172.16.0.2]
> --------------------------------------------------------------------
> The result is ....
> 
> Do you have some ideas about the best method to use?
> 
> Benoit

Hi!

I think this module could work like a filter, which would pass all
messages (or individual chunks) it doesn't know and translate known
data to new type of messages.

The rewriter module may be RULE based as filter is. Thus it could match
a regular expression, and assign the results of individual matches (\1,
\2, ...) to attributes in resulting messages.

The matched substrings can be parsed into echelog types using
get_type_instance like function and sscan features. However some
portions of filter module would be probably duplicated (or may be put
into a lib if carefully thought out ;)

What do you think?

Kamil