Hi This is how I configured and the Final Log Message parser p_drop_msgid { csv_parser( columns( "dropme", "EMSG" ) delimiters("]") ); }; parser pattern_db { db_parser( file("/test/syslogs/script/parser/patterndb.xml") ); }; destination r_auth { file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR" owner(root) group(salars) perm(0640) template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n") ); }; log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(pattern_db); destination (r_auth); }; Final Log message: <#|2014 Oct 1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234 from 100.200.300.10 port 59301 ssh2||#> Thanks & Regards On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS.. is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log
Can you elaborate on the nature of "the final log"? If you're simply using a file destination with default template, you won't see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and $MSG are shown. You need to explicitly do that in the template format.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar