44
44
<td><b>fromhost</b></td>
45
45
<td>hostname of the system the message was received from
46
46
(in a relay chain, this is the system immediately in front of us and
47
not necessarily the original sender)</td>
47
not necessarily the original sender). This is a DNS-resolved name, except
48
if that is not possible or DNS resolution has been disabled.</td>
51
<td><b>fromhost-ip</b></td>
52
<td>The same as fromhost, but alsways as an IP address. Local inputs
53
(like imklog) use 127.0.0.1 in this property.</td>
50
56
<td><b>syslogtag</b></td>
198
204
property replacer will return the part of the property text that
199
205
matches the regular expression. An example for a property replacer
200
206
sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\)
208
<p>It is possible to specify some parametes after the "R". These are
209
comma-separated. They are:
210
<p>R,<regexp-type>,<submatch>,<nomatch>,<match-number>
211
<p>regexp-type is either "BRE" for Posix basic regular expressions or
212
"ERE" for extended ones. The string must be given in upper case. The
213
default is "BRE" to be consistent with earlier versions of rsyslog that
214
did not support ERE. The submatch identifies the submatch to be used
215
with the result. A single digit is supported. Match 0 is the full match,
216
while 1 to 9 are the acutal submatches. The match-number identifies which match to
217
use, if the expression occurs more than once inside the string. Please note
218
that the first match is number 0, the second 1 and so on. Up to 10 matches
219
(up to number 9) are supported. Please note that it would be more
220
natural to have the match-number in front of submatch, but this would break
221
backward-compatibility. So the match-number must be specified after "nomatch".
222
<p>nomatch is either "DFLT", "BLANK", ZERO or "FIELD" (all upper case!). It tells
223
what to use if no match is found. With "DFLT", the strig "**NO MATCH**" is
224
used. This was the only supported value up to rsyslog 3.19.5. With "BLANK"
225
a blank text is used (""). With "ZERO", "0" is used.
226
Finally, "FIELD" uses the full property text
227
instead of the expression. Some folks have requested that, so it seems
229
<p>The following is a sample of an ERE expression that takes the first
230
submatch from the message string and replaces the expression with
231
the full field if no match is found:
232
<p>%msg:R,ERE,1,FIELD:for (vlan[0-9]*):--end%
233
<p>and this takes the first submatch of the second match of said expression:
234
<p>%msg:R,ERE,1,FIELD,1:for (vlan[0-9]*):--end%
235
<p><b>Please note: there is also a
236
<a href="http://www.rsyslog.com/tool-regex">rsyslog regular expression checker/generator</a>
237
online tool available.</b> With that tool, you can check your regular expressions and
238
also generate a valid property replacer sequence. Usage of this tool is recommended.
239
Depending on the version offered, the tool may not cover all subleties that can
240
be done with the property replacer. It concentrates on the most often used cases. So it
241
is still useful to hand-craft expressions for demanding environments.
203
242
<p><b>Also, extraction can be done based on so-called
204
243
"fields"</b>. To do so, place a "F" into FromChar. A field in its
205
244
current definition is anything that is delimited by a delimiter
358
<p>To use multiple options, simply place them one after each other with a comma delmimiting
359
them. For example "escape-cc,sp-if-no-1st-sp". If you use conflicting options together,
360
the last one will override the previous one. For example, using "escape-cc,drop-cc" will
361
use drop-cc and "drop-cc,escape-cc" will use escape-cc mode.
315
362
<h2>Further Links</h2>
317
364
<li>Article on "<a href="rsyslog_recording_pri.html">Recording
added
removed
doc/property_replacer.html
