syslog -NG 构建日志服务器
public static int interal()
{
DateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
try{
/*Date d1 = df.parse("2004-03-26 13:31:40");
Date d2 = df.parse("2004-01-02 11:30:24"); */
Date d1 = df.parse("2005-03-27 11:30:40");
Date d2 = df.parse("2004-03-26 11:30:40");
long diff = d1.getTime() - d2.getTime();
System.err.println("diff---++++++++"+diff);
System.err.println("diff/1000/60---++++++++"+diff/1000/60);
long days = diff / (1000 * 60 * 60 * 24);
}
catch (Exception e)
{
}
return 0;
}
d
-------------------
4.10. Rewriting messages
The syslog-ng application can rewrite parts of log messages: it can search and replace text, and also set a specific field to a specified value. Rewriting messages is often used in conjunction with message parsing Section 4.8, “Parsing messages”.
Rewrite rules are similar to filters: they must be defined in the syslog-ng configuration file and used in the log statement.
Note
The order of filters, rewriting rules, and parsers in the log statement is important, as they are processed sequentially.
To create replace a part of the log message, define the string or regular expression to replace, the string to replace the original text (macros can be used as well), and the field of the message that the rewrite rule should process. Substitution rules can operate on any value available via macros, for example HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (see Section 6.6, “Message parsers” for details). The only exceptions are the FACILITY, SEVERITY, TAGS, and the date-related fields, which cannot be rewritten. Substitution rules use the following syntax:
Declaration:
rewrite <name_of_the_rule>
{subst("<string or regular expression to find>", "<replacement string>", value(<field name>), flags());};
A single substitution rule can include multiple substitutions that are applied sequentially to the message. Note that rewriting rules must be included in the log statement to have any effect.
Tip
For case-insensitive searches, add the flags(ignore-case) option; to replace every occurrence of the string, add flags(global) option.
Example 4.41. Using substitution rules
The following example replaces the first occurrence of the string IP in the text of the message with the string IP-Address.
rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE"));};
To replace every occurrence, use:
rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE"), flags("global"));};
Multiple substitution rules are applied sequentially; the following rules replace the first occurrence of the string IP with the string IP-Addresses.
rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE")); subst("Address", "Addresses", value("MESSAGE"));};
To set a field of the message to a specific value, define the string to include in the message, and the field where it should be included. Setting a field can operate on any value available via macros, for example HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (see Section 6.6, “Message parsers” for details). The only exceptions are the FACILITY, SEVERITY, TAGS, and the date-related fields, which cannot be rewritten. Note that the rewrite operation completely replaces any previous value of that field. Use the following syntax:
Declaration:
rewrite <name_of_the_rule>
{set("<string to include>", value(<field name>));};
Example 4.42. Setting message fields to a particular value
The following example sets the HOST field of the message to myhost.
rewrite r_rewrite_set{set("myhost", value("HOST"));};
The following example sets the sequence ID field of the RFC5424-formatted (IETF-syslog) messages to a fixed value.
rewrite r_sd { set("55555" value(".SDATA.meta.sequenceId")); };
It is also possible to set the value of a field that does not exist yet, and create a new name-value pair that is associated with the message. The following example created the MODIFIED field and sets its value to yes. If you use the $MODIFIED macro in a template or SQL table, its value will be yes for every message that was processed with this rewrite rule, and empty for every other message.
rewrite r_rewrite_set{set("yes", value("MODIFIED"));};
--------------------------------------------------------------------------------
Prev U
public static int interal()
{
DateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
try{
/*Date d1 = df.parse("2004-03-26 13:31:40");
Date d2 = df.parse("2004-01-02 11:30:24"); */
Date d1 = df.parse("2005-03-27 11:30:40");
Date d2 = df.parse("2004-03-26 11:30:40");
long diff = d1.getTime() - d2.getTime();
System.err.println("diff---++++++++"+diff);
System.err.println("diff/1000/60---++++++++"+diff/1000/60);
long days = diff / (1000 * 60 * 60 * 24);
}
catch (Exception e)
{
}
return 0;
}
d
-------------------
4.10. Rewriting messages
The syslog-ng application can rewrite parts of log messages: it can search and replace text, and also set a specific field to a specified value. Rewriting messages is often used in conjunction with message parsing Section 4.8, “Parsing messages”.
Rewrite rules are similar to filters: they must be defined in the syslog-ng configuration file and used in the log statement.
Note
The order of filters, rewriting rules, and parsers in the log statement is important, as they are processed sequentially.
To create replace a part of the log message, define the string or regular expression to replace, the string to replace the original text (macros can be used as well), and the field of the message that the rewrite rule should process. Substitution rules can operate on any value available via macros, for example HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (see Section 6.6, “Message parsers” for details). The only exceptions are the FACILITY, SEVERITY, TAGS, and the date-related fields, which cannot be rewritten. Substitution rules use the following syntax:
Declaration:
rewrite <name_of_the_rule>
{subst("<string or regular expression to find>", "<replacement string>", value(<field name>), flags());};
A single substitution rule can include multiple substitutions that are applied sequentially to the message. Note that rewriting rules must be included in the log statement to have any effect.
Tip
For case-insensitive searches, add the flags(ignore-case) option; to replace every occurrence of the string, add flags(global) option.
Example 4.41. Using substitution rules
The following example replaces the first occurrence of the string IP in the text of the message with the string IP-Address.
rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE"));};
To replace every occurrence, use:
rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE"), flags("global"));};
Multiple substitution rules are applied sequentially; the following rules replace the first occurrence of the string IP with the string IP-Addresses.
rewrite r_rewrite_subst{subst("IP", "IP-Address", value("MESSAGE")); subst("Address", "Addresses", value("MESSAGE"));};
To set a field of the message to a specific value, define the string to include in the message, and the field where it should be included. Setting a field can operate on any value available via macros, for example HOST, MESSAGE, PROGRAM, or any user-defined macros created using parsers (see Section 6.6, “Message parsers” for details). The only exceptions are the FACILITY, SEVERITY, TAGS, and the date-related fields, which cannot be rewritten. Note that the rewrite operation completely replaces any previous value of that field. Use the following syntax:
Declaration:
rewrite <name_of_the_rule>
{set("<string to include>", value(<field name>));};
Example 4.42. Setting message fields to a particular value
The following example sets the HOST field of the message to myhost.
rewrite r_rewrite_set{set("myhost", value("HOST"));};
The following example sets the sequence ID field of the RFC5424-formatted (IETF-syslog) messages to a fixed value.
rewrite r_sd { set("55555" value(".SDATA.meta.sequenceId")); };
It is also possible to set the value of a field that does not exist yet, and create a new name-value pair that is associated with the message. The following example created the MODIFIED field and sets its value to yes. If you use the $MODIFIED macro in a template or SQL table, its value will be yes for every message that was processed with this rewrite rule, and empty for every other message.
rewrite r_rewrite_set{set("yes", value("MODIFIED"));};
--------------------------------------------------------------------------------
Prev U
158
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
