<div dir="ltr">I've think I've found a solution.<br>If the attribute program is empty, then the attributes $MSG and $MSGONLY should be equals.<br>The filter function match() try to match the $MSG or $MSGONLY ?<br><br>
Trying this doesn't work, but I think this can be the beginning of the solution : <br><br>match($MSGONLY)<br>or,<br>match($MSG)<br>depending on wich $MSG or $MSGONLY the filter function applies.<br><br><div class="gmail_quote">
2008/8/29 G R <span dir="ltr"><<a href="mailto:ng.syslogng@gmail.com" target="_blank">ng.syslogng@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr">I've look at the program field and it's empty.<br>It seems that syslog-ng try to find the attribute program before ":" and my logs starts with this ":". Printing the progam attribute in my log show me that this attribute is really empty.<br>
So I'd like to make a filter using a matcher for the ":" of the message and another matcher on the empty program attribute.<br><br><div class="gmail_quote">2008/8/29 Geller, Sandor (IT) <span dir="ltr"><<a href="mailto:Sandor.Geller@morganstanley.com" target="_blank">Sandor.Geller@morganstanley.com</a>></span><div>
<div></div><div><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br>
<div><br>
> I got something in the message that can help, but I'd like to<br>
> use it with the empty program attribute (being as specific as<br>
> possible).<br>
><br>
> So there is no way to filtre an empty program attribute?<br>
<br>
</div>I don't think so. When syslog-ng parses the log it has to guess<br>
what format is applied to the log line, so it will fill in the<br>
program field with the first string which is right after the<br>
priority date hostname triplet. So I think at least one word<br>
of your log will end up in the program field, and it isn't<br>
available for match() later... You could workaround this by<br>
combining the program() and the match() into a single filter,<br>
or use an external program to do the filtering.<br>
<br>
Regards,<br>
<br>
Sandor<br>
--------------------------------------------------------<br>
<br>
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.<br>
<div><div></div><div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</div></div></blockquote></div></div></div><br></div>
</blockquote></div><br></div>