syslog-ng documentation

Your main source of knowledge

The syslog-ng product family has an extensive documentation, covering everything from how to install a product to the most complex configuration and settings descriptions. If you cannot find an answer to your question, try the mailing list - our community is always eager to help.

syslog-ng Premium Edition

Contents

11.2.3. Unsetting message fields The syslog-ng Premium Edition 7 Administrator Guide

You can unset a macro or a field of the message, including any user-defined macros created using parsers (for details, see Chapter 12, Parsers and segmenting structured messages and Chapter 13, Processing message content with a pattern database). Hard macros cannot be modified. For details on hard and soft macros, see Section 11.1.4, Hard vs. soft macros). Note that the unset operation completely deletes any previous value of the field that you apply it on. Use the following syntax:

Declaration: 

rewrite <name_of_the_rule> {
    unset(value("<field name>"));
};
Example 11.21. Unsetting a message field

The following example unsets the HOST field of the message.

rewrite r_rewrite_unset{unset(value("HOST"));};

To unset a group of fields, you can use the groupunset() rewrite rule.

Declaration: 

rewrite <name_of_the_rule> {
    groupunset(values("<expression-for-field-names>"));
};
Example 11.22. Unsetting a group of fields

The following rule clears all SDATA fields:

rewrite r_rewrite_unset_SDATA{ groupunset(values(".SDATA.*"));};