Hello CzP,
- how to handle at file/ruleset/etc level when two applications have the same $PROGRAM
- how to handle, when the same application uses different $PROGRAM in different situations
There are many different names as $PROGRAM,
The question is the same: how should pattern name be handled?
I ran into the same problem with some brain damaged programs and log messages where it was not possible to get a reliable program name match. Fortunately the problem is not too difficult to work around. I've collected some explanations from the manual to help you out. Basically, depending on the situation, you can: 1) use syslog-ng parser(s) to match the program name and then reclassify the messages using a rule based on checking the value in the program name parser(s) 2) use a substring of the program name which starts the program's name in each case. This should work for postfix since each subdaemon's name begins with 'postfix/'. 3) leave the program name blank, and then that pattern DB becomes a 'fallback' DB which is checked for any messages nothing else can classify. This is what I've chosen to do for the brain damaged programs I need to support. So far I haven't noticed a performance problem but I only loaded the system lightly. Hope this helps, Matthew Hall. Notes from manuals: [T]he rules of a ruleset are applied to log messages if the name of the application that sent the message matches the Program Pattern of the ruleset. The ... content of the $PROGRAM macro is compared to the Program Patterns of the available rulesets, and then the rules of the matching rulesets are applied to the message. If the $PROGRAM part of a message is empty, rules with an empty Program Pattern are used to classify the message. The Program Pattern can be a string that specifies the name of the appliation or the beginning of its name (e.g., to match for sendmail, the program pattern can be sendmail, or just send), and the Program Pattern can contain pattern parsers. pattern: The name of the application — syslog-ng matches this value to the $PROGRAM header of the syslog message to find the rulesets applicable to the syslog message. This element is also called the program pattern. If the <pattern> element of a ruleset is not specified, -ng will use this ruleset as a fallback ruleset: it will apply the ruleset to messages that have an empty PROGRAM header, or if none of the program patterns matched the PROGRAM header of the incoming message.