Modifying messages using rewrite rules

The AxoSyslog application can rewrite parts of the messages using rewrite rules. Rewrite rules are global objects similar to parsers and filters and can be used in log paths. The AxoSyslog application has two methods to rewrite parts of the log messages: substituting (setting) a part of the message to a fix value, and a general search-and-replace mode.

  • Substitution completely replaces a specific part of the message that is referenced using a built-in or user-defined macro.

  • General rewriting searches for a string in the entire message (or only a part of the message specified by a macro) and replaces it with another string. Optionally, this replacement string can be a template that contains macros.

Rewriting messages is often used in conjunction with message parsing parser: Parse and segment structured messages.

Rewrite rules are similar to filters: they must be defined in the syslog-ng.conf configuration file and used in the log statement. You can also define the rewrite rule inline in the log path.

Replacing message parts

Setting message fields to specific values

Setting severity with the set-severity() rewrite function

Setting the facility field with the set-facility() rewrite function

Setting the priority of a message with the set-pri() rewrite function

Setting match variables with the set-matches() rewrite rule

Unsetting message fields

Renaming message fields

Creating custom SDATA fields

Setting multiple message fields to specific values

map-value-pairs: Rename value-pairs to normalize logs

Conditional rewrites

Adding and deleting tags

Rewrite the timezone of a message

Anonymizing credit card numbers

Last modified June 27, 2023: Update paths to follow-up moving the files (6585a5b)