Hi, Thanks for summarizing your experience and results. On Fri, 2011-02-11 at 14:14 +0100, Valentijn Sessink wrote:
All right, replying to myself:
Valentijn Sessink schreef:
1) @ESTRING:postfix.remotehost:[@@IPvANY:postfix.remoteip@]</pattern>
I probably had a typo in the original pattern; as far as I can see, it does work with two consecutive pattern parsers.
Yes, it should. These are explicitly tested by the unit tests, but probably should be mentioned in the admin guide explicitly, as it comes up every now and then.
2) The syslog-ng OSE admin guide tells me to use @QSTRING:<>@ to match the
This is a bit unclear in the documentation. The documentation just mentions the QSTRING:<> match, while naturally, the < and > need to be escaped (< and >).
Again, a note would be useful that patterndb is in XML format, and thus XML special characters need to be escaped.
3) My third question boils down to: is it possible to correlate *one* single message into *two* separate trails?
Yes, you can, but at a cost. To match one message with two patterns, you will need two different pattern databases: parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));}; parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));};
Can you explain why you needed this? Why couldn't you do all processing in your single rule?
Then, in the log {} entry, specify parser(db1) for the first pattern; and parser(db2) for the second. This seems to work as expected.
Trying to match with identical patterns in one database won't work (for technical reasons).
That's right, since rules are not evaluated sequentially. -- Bazsi