I've look at the program field and it's empty.
It seems that syslog-ng try to find the attribute program before ":" and my logs starts with this ":". Printing the progam attribute in my log show me that this attribute is really empty.
So I'd like to make a filter using a matcher for the ":" of the message and another matcher on the empty program attribute.
2008/8/29 Geller, Sandor (IT)
<Sandor.Geller@morganstanley.com>
Hi,
> I got something in the message that can help, but I'd like to
> use it with the empty program attribute (being as specific as
> possible).
>
> So there is no way to filtre an empty program attribute?
I don't think so. When syslog-ng parses the log it has to guess
what format is applied to the log line, so it will fill in the
program field with the first string which is right after the
priority date hostname triplet. So I think at least one word
of your log will end up in the program field, and it isn't
available for match() later... You could workaround this by
combining the program() and the match() into a single filter,
or use an external program to do the filtering.
Regards,
Sandor
--------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.