<div dir="ltr">That's a great question--I have no idea if two parser entries mandate double parsing. If you want to make sure that only your custom log {} statement will be used, you can use flags(final) in your log {} stanza to ensure that no messages will continue on to the other log statements.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 14, 2013 at 11:22 PM, Russell Fulton <span dir="ltr"><<a href="mailto:r.fulton@auckland.ac.nz" target="_blank">r.fulton@auckland.ac.nz</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 13/05/2013, at 3:58 PM, Martin Holste <<a href="mailto:mcholste@gmail.com">mcholste@gmail.com</a>> wrote:<br>
<br>
> The issue is probably where the filter resides. I use that filter (in fact, it's in an optional ELSA config right now) and it works, but you have to remember that ${.classifier.class} isn't set until after the patterndb parser is run, so the filter() statement has to be after parser(p_db);<br>
><br>
<br>
</div>I finally figured out what the issue was here. It had to be something totally, idiotically simple and it was.<br>
<br>
Martin was on the right track with the order of filters relative to parser(p_db);<br>
<br>
What had happened was that I had originally the filter in a second log {} clause after one that contained the parser() entry so everything worked. Martin introduce the elsa_syslog.conf include and I moved all my local mods into there so now the filter was in a log{} clause that did not have a parser() entry and was now before the one that had it.<br>
<br>
I won't tell how many hours careful elimination it took to track this down.<br>
<br>
For elsa users if you put new log{} clauses in the include file you must have a parse() entry in them if you want to do anything with the classifier results.<br>
<br>
Question: Will having two parser() entries result in the log message being parsed twice? My guess is that it will.<br>
<div class="HOEnZb"><div class="h5"><br>
R<br>
<br>
<br>
> On Fri, May 10, 2013 at 11:51 PM, Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br>
> Wait a second. Version 3.2.x ... really?<br>
> That's quite old. There was a bug with the<br>
> .classifier.X tags some time in the past, and it might have been in those old versions. Certainly version 3.3 would be recommended, and all of y work is done with 3.4.x<br>
><br>
> My advice my be specific to version 3.4 :-(<br>
><br>
><br>
><br>
><br>
> Evan Rempel <a href="tel:250.271.7691" value="+12502717691">250.271.7691</a><br>
> University Systems, University of Victoria<br>
><br>
> Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br>
><br>
> This definitely works. I'm using it right now.<br>
><br>
> If it isn't working, then your pattern in the patterndb is not matching. We literally run millions of messages per hour through this exact filter ... I copied and pasted it from our pattern database.<br>
><br>
><br>
><br>
> Evan Rempel <a href="tel:250.271.7691" value="+12502717691">250.271.7691</a><br>
> University Systems, University of Victoria<br>
><br>
> Russell Fulton <<a href="mailto:r.fulton@auckland.ac.nz">r.fulton@auckland.ac.nz</a>> wrote:<br>
><br>
><br>
> On 11/05/2013, at 2:26 PM, Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br>
><br>
> > Try this filter<br>
> ><br>
> ><br>
> > filter f_unknown {<br>
> > tags(".classifier.unknown");<br>
> > };<br>
> ><br>
><br>
> This always appears to return true. I.e. this filter includes everything. Negating it includes nothing.<br>
><br>
> I have tried to install 3.2.5 as this is the last version that ELSA is confirmed to work with but that does not start:<br>
><br>
> Starting syslog-ng<br>
> /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libsyslog-ng.so.0: cannot open shared object file: No such file or directory<br>
><br>
> So far as I can tell all the lib files are present and correct and in the same place as the previous version?<br>
><br>
> I have syslog-ng installed in /usr/local/syslog-ng-<version> and a symlink /usr/local/syslog-ng pointing to the version to use.<br>
><br>
> Russell<br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:enterprise-log-search-and-archive%2Bunsubscribe@googlegroups.com">enterprise-log-search-and-archive+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/groups/opt_out" target="_blank">https://groups.google.com/groups/opt_out</a>.<br>
<br>
<br>
</font></span></blockquote></div><br></div>