Hi Fabien,

Thanks for your response.

I was using this snippet of code (taken from documentation) before, but doesn't seem to work either:

value("MESSAGE" "$(format-json .auditd.*)")

So how do I output an aggregated message to the test.json file ? Or any file.

I apologize if my questions are basic, but I had a hard time finding answers in documentation. Grouping-by() function could definitely use more explanation.

Kind regards

Maciej

wt., 3 lis 2020 o 13:05 Fabien Wernli <wernli@in2p3.fr> napisał(a):

Hi Maciek,

On Tue, Nov 03, 2020 at 12:24:40PM +0100, Maciek Solnicki wrote:
> *  destination {*
> *    file('/tmp/test.json' template("$(format-json .auditd.*)\n"));*
> *  };*
> *};*

This means you're outputting the contents of all `.auditd.` macros to file
test.json.

But your grouping-by parser generates a message with the macro MESSAGE set
to the value "TEST" :

> *    grouping-by(*
> *      key("${.auditd.msg}")*
> *      timeout(10)*
> *      aggregate(value("MESSAGE" "TEST"))*
> *    );*

So you won't see it in test.json.
Well, more exactly you should see it as the default value of
aggregate(inherit-mode()) is "context", but you won't see the MESSAGE:TEST
macro as you're omitting it from your output.
I'm guessing you should see a message twice in that case.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq