This section describes how to set a message field in syslog-ng OSE.

To set a field of the message to a specific value, you have to:

  • define the string to include in the message, and

  • select the field where it should be included.

You can set the value of available macros, for example, ${HOST}, ${MESSAGE}, ${PROGRAM}, or any user-defined macros created using parsers (for details, see parser: Parse and segment structured messages and db-parser: Process message content with a pattern database (patterndb)). Note that the rewrite operation completely replaces any previous value of that field.

Hard macros cannot be modified, so they will not be overwritten. For details on the hard and soft macros, see Hard versus soft macros.

Use the following syntax:

Declaration

rewrite <name_of_the_rule> {
    set("<string to include>", value(<field name>));
};

Example: Setting message fields to a particular value

The following example sets the HOST field of the message to myhost.

rewrite r_rewrite_set{
    set("myhost", value("HOST"));
};

The following example appends the "suffix" string to the MESSAGE field:

rewrite r_rewrite_set{
    set("${MESSAGE} suffix", value("MESSAGE"));
};

For details on rewriting SDATA fields, see Creating custom SDATA fields. You can also use the following options in rewrite rules that use the set() operator.

rewrite <name_of_the_rule> {
    set("<string to include>", value(<field name>), on-error("fallback-to-string");
};

The severity and facility fields can only be set by the set-severity() rewrite functions.

For more information, see Setting severity with the set-severity() rewrite function.

Updated: