diff options
Diffstat (limited to 'doc/property_replacer.html')
| -rw-r--r-- | doc/property_replacer.html | 51 |
1 files changed, 47 insertions, 4 deletions
diff --git a/doc/property_replacer.html b/doc/property_replacer.html index 367c8add..f666fb76 100644 --- a/doc/property_replacer.html +++ b/doc/property_replacer.html @@ -72,7 +72,7 @@ BSD syslogd. For example, when TAG is "named[12345]", programname is "syslog.info")</td> </tr> <tr> -<td><span style="font-weight: bold;">iut</span></td> +<td><b>iut</b></td> <td>the monitorware InfoUnitType - used when talking to a <a href="http://www.monitorware.com">MonitorWare</a> backend (also for <a href="http://www.phplogcon.org/">phpLogCon</a>)</td> @@ -138,10 +138,26 @@ draft-ietf-syslog-protocol</td> draft-ietf-syslog-protocol</td> </tr> <tr> -<td height="24"><b>msgid</b></td> -<td height="24">The contents of the MSGID field from +<td><b>msgid</b></td> +<td>The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol</td> </tr> +<td><b>inputname</b></td> +<td>The name of the input module that generated the +message (e.g. "imuxsock", "imudp"). Note that not all modules +necessarily provide this property. If not provided, it is an +empty string. Also note that the input module may provide +any value of its liking. Most importantly, it is <b>not</b> +necessarily the module input name. Internal sources can also +provide inputnames. Currently, "rsyslogd" is defined as inputname +for messages internally generated by rsyslogd, for example startup +and shutdown and error messages. +This property is considered useful when trying to filter messages +based on where they originated - e.g. locally generated messages +("rsyslogd", "imuxsock", "imklog") should go to a different place +than messages generated somewhere. +</td> +</tr> <tr> <td><b>$now</b></td> <td>The current date stamp in the format YYYY-MM-DD</td> @@ -177,6 +193,11 @@ range from 0 to 3 (for the four quater hours that are in each hour)</td> <td><b>$minute</b></td> <td>The current minute (2-digit)</td> </tr> +<tr> +<td><b>$myhostname</b></td> +<td>The name of the current host as it knows itself (probably useful +for filtering in a generic way)</td> +</tr> </tbody> </table> <p>Properties starting with a $-sign are so-called system @@ -250,8 +271,30 @@ same example with semicolon as delimiter is "%msg:F,59:3%".</p> <p>Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower case will return an error. There are no white spaces permitted inside the sequence (that will lead -to error messages and will NOT provide the intended result).<br> +to error messages and will NOT provide the intended result).</p> +<p>Each occurence of the field delimiter starts a new field. However, +if you add a plus sign ("+") after the field delimiter, multiple +delimiters, one immediately after the others, are treated as separate +fields. This can be useful in cases where the syslog message contains +such sequences. A frequent case may be with code that is written as +follows:</p> +<code><pre> +int n, m; +... +syslog(LOG_ERR, "%d test %6d", n, m); +</pre></code> +<p>This will result into things like this in syslog messages: +"1 test 2", +"1 test 23", +"1 test 234567" +<p>As you can see, the fields are delimited by space characters, but +their exact number is unknown. They can properly be extracted as follows: +<p> +"%msg:F,32:2%" to "%msg:F,32+:2%". +<p>This feature was suggested by Zhuang Yuyao and implemented by him. +It is modeled after perl compatible regular expressions. </p> + <h2>Property Options</h2> <b><code>property options</code></b> are case-insensitive. Currently, the following options are defined: |