Hi
i try to rewrite the source field from a non-standard syslog message from a switch. It has the field “sourcefqdn” which contains the value (=the hostname of device) I want as value for the “source” field. Right now, in the source field there is the ip address of the device. Input is syslog (udp).
I set up a pipeline with one stage. this stage contains the following rule:
rule "switch_rewrite"
when
has_field("sourcefqdn") && to_string($message.sourcefqdn) == to_string(switch.example.com)
then
set_field("source", to_string("$message.sourcefqdn"));
end
I read up on message processing order and set the message processor configuration to let the Pipeline Processor run AFTER the Message Filter Chain, as I want all messages from the All Messages Stream to be processed.
But new messages from this device will still show up with their IP-Address as source as if they won’t get processed.
Therfore my questions are:
- Is this the correct way to do alter stuff in messages, e. g. rewriting hostnames?
- Is the order correct or didn’t I grasp the concept of stream processing?
- Is my rule code correct?
- Is it possible to check if the rule matches a certain message? E.g. not creating a message in the simulator but using one from the acutal stream? I can’t figure out how to add the field “sourcefqdn” in the simulator …
Any help & hints are much appreciated!