On Mon, 2009-07-13 at 19:59 +0200, ILLES, Marton wrote:
Hi,
First you should simply try a pattern like this:
<pattern>@ESTRING:id_message: @</pattern>
This would match your line and would extract the message id. Than you can work on extending it. Also probably the easiest option is to use the @ANYSTRING@ parser which would match everything till the end of the message. It is available in the 3.1 git tree:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=c22ee8dad59b56b9...
So your pattern would look something like this:
<pattern>@ESTRING:id_message: @@ANYSTRING:rest@</pattern>
In the sql statement you can than use the ${id_message} and ${rest} macros. (Note that ANYSTRING is available only in the 3.1 tree which uses the newer patterndb format!)
let me know if it works.
I didn't have time to completely integrate your patterndb v2 patches, so it still sits in a local branch and not on master. But ANYSTRING is already there. -- Bazsi