Return to
Portfolio

25.14. Rewriting and Modifying Messages

There are many ways to modify log messages.

25.14.1. Simple Rewrite

A simple rewrite can be done by modifying the $raw_event field without parsing the message (with Syslog, for example). Regular expression capturing can be used for this.

Example 113. Simple Rewrite Statement

This statement, when used in an Exec directive, will apply the replacement directly to the $raw_event field. In this case, a parsing procedure like parse_syslog() would not be used.

1
2
if $raw_event =~ /^(aaaa)(replaceME)(.+)/
    $raw_event = $1 + 'replaceMENT' + $3;
Example 114. Converting a Timestamp Format

This example will convert a timestamp field to a different format. Like the previous example, the goal is to modify the $raw_event field directly, rather than use other fields and then a procedure like to_json() to update $raw_event.

The input log format is line-based, with whitespace-separated fields. The first field is a timestamp expressed as seconds since the epoch.

Input Sample
1301471167.225121 AChBVvgs1dfHjwhG8 141.143.210.102 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)

In the output module instance Exec directive, the regular expression will match and capture the first field from the line, and remove it. This captured portion is parsed with the parsedate() function and used to set the $EventTime field. This field is then prepended to the $raw_event field to replace the previously removed field.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<Input in>
    Module  im_file
    File    "conn.log"
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.0.1
    Port    1514
    <Exec>
        if $raw_event =~ s/^(\S+)//
        {
            $EventTime = parsedate($1);
            $raw_event = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sTZ') +
                         $raw_event;
        }
    </Exec>
</Output>
Output Sample
2011-03-30T00:46:07.225121-07:00 AChBVvgs1dfHjwhG8 141.143.210.102 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)

25.14.2. Modifying Fields

A more complex method is to parse the message into fields, modify some fields, and finally reconstruct the message from the fields. This method is much more versatile: it allows rewriting to be done regardless of input and output formats.

Example 115. Rewrite Using Fields

In this example, each Syslog message is received via UDP and parsed with parse_syslog_bsd(). Then, if the $Message field matches the regular expression, the $SeverityValue field is modified. Finally, the to_syslog_bsd() procedure generates $raw_event from the fields.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input udp>
    Module  im_udp
    Port    514
    Host    0.0.0.0
    Exec    parse_syslog_bsd();
</Input>

<Output file>
    Module  om_file
    File    "/var/log/logmsg.txt"
    <Exec>
        if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");
        to_syslog_bsd();
    </Exec>
</Output>

<Route syslog_to_file>
    Path    udp => file
</Route>

25.14.3. Renaming and Deleting Fields

In some cases it may be necessary to rename or delete fields.

The simplest way is to use the NXLog language and the Exec directive.

Example 116. Simple Field Rename

This statement uses rename_field() to rename the $user field to $AccountName.

1
rename_field($user, $AccountName);
Example 117. Simple Field Deletion

This statement uses the delete() procedure to delete the $Serial field.

1
delete($Serial);

Alternatively, the xm_rewrite extension module (available in NXLog Enterprise Edition) can be used to rename or delete fields.

Example 118. Using xm_rewrite to Whitelist and Rename Fields

This example uses the parse_syslog() procedure to create a set of Syslog fields in the event record. It then uses the Keep directive to whitelist a set of fields, deleting any field that is not in the list. Finally the Rename directive is used to rename the $EventTime field to $Timestamp. The resulting event record is converted to JSON and sent out via TCP.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<Extension json>
    Module  xm_json
</Extension>

<Extension rewrite>
    Module  xm_rewrite
    Keep    EventTime, Severity, Hostname, SourceName, Message
    Rename  EventTime, Timestamp
</Extension>

<Input in>
    Module  im_file
    File    '/var/log/messages'
    Exec    parse_syslog(); rewrite->process();
</Input>

<Output out>
    Module  om_tcp
    Host    10.0.0.1
    Port    1514
    Exec    to_json();
</Output>

<Route r>
    Path    in => out
</Route>
Example 119. Using xm_rewrite to Remove Fields

Here is an example Extension block that uses the Delete directive to delete all the severity fields. This could be used to prevent severity-based matching (during later processing) on an event source that does not set severity values correctly.

nxlog.conf [Download file]
1
2
3
4
<Extension rewrite>
    Module  xm_rewrite
    Delete  SyslogSeverityValue, SyslogSeverity, SeverityValue, Severity
</Extension>