Re: [Echelog-devel] Rewriting rules

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Feb 20, 2003 at 09:40:54AM +0100, Benoit DOLEZ wrote:
> >>The Rewrite module can transform a messagetype in an other messagetype
> >>after doing some conversions on VARCHAR.
> >>
> >>sample:
> >>--------------------------------------------------------------------
> >>Filter is:
> >>LINE~"^(... [0-9]+ [0-9:]{8}) .*: ([^:]+): from=<?([^,])>?, 
> >>size=([0-9]+), relay=(.*)$",DATE=\1,SPOOL=\2,MAILFROM=\3,SIZE=\4,RELAY=\5
> >>--------------------------------------------------------------------
> >>For log as:
> >>Feb 17 12:22:18 local@server1 sendmail[15624]: h1HBMIVd015624: 
> >>from=<bd...@so...>, size=945, class=0, nrcpts=1, 
> >>msgid=<3E5...@so...>, proto=ESMTP, daemon=MTA, 
> >>relay=relay1.societe.local [172.16.0.2]
> >>--------------------------------------------------------------------
> >>The result is ....
> >>
> >>Do you have some ideas about the best method to use?
> >>
> >>Benoit
> >
> 
> >The rewriter module may be RULE based as filter is. Thus it could match
> >a regular expression, and assign the results of individual matches (\1,
> >\2, ...) to attributes in resulting messages
> >
> >The matched substrings can be parsed into echelog types using
> >get_type_instance like function and sscan features. However some
> >portions of filter module would be probably duplicated (or may be put
> >into a lib if carefully thought out ;)
> 
> ok
> >
> >What do you think?
> 
> The config file is like that :
> [Rewrite]
> Rule {
>     MSGFROM SimpleMessage,mes0
>     MSGTO   MailFromMessage,mai0
>     LINE~".....",MSG.msg_time=\1,ID=\2,FROM=\3,SIZE=\4
> }

OK, just make it readable enough ;) and document it please.

> 
> That seems to be good but what about perfs? I have to run lot of 
> filter/rewrite.

Yes, this could be a problem. But the rewriter module will hardly be
on a monitored production server. If the rules and regexps were
simple enough (no backtracking) the dedicated logging machine
should manage it. 

This seems to be the simpliest way how to implement such rewriting
module anyway. I think it is worth trying. If there were performance
problems, we would see what we can do about it.

Kamil

> 
> Benoit
> 