Sorry Evan for mistyping your name. :)

On Tue, Mar 20, 2018 at 2:06 PM, Nagy, Gábor <gabor.nagy@balabit.com> wrote:

Hi Elen!

Does your application log into a file? Because then you could use multi-line file source with a well-defined prefix as the "{date} {host} {program}:".

Regards,

Gabor

On Thu, Mar 15, 2018 at 7:10 AM, Scheidler, Balázs <balazs.scheidler@balabit.com> wrote:

The $1 is not set in this case, you can however use template functions in the value part. E.g. set line based on the @PCRE@ matcher and overwrite its value using an expression $(substr $line 0 -3)

Would that work for you?

On Mar 15, 2018 02:08, "Evan Rempel" <erempel@uvic.ca> wrote:

I have a case where an application logs something like

{date} {host} {program}: my first line...
...my second line...
...and my third line.


I want to make a correlation and unwrap these lines into

{date} {host} {program}: my first line my second line and my third line.


I started writing the patterndb to do this, but matching the ... at the end

of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@

but I then need to only use the $1 to set a value

<values>
 <value name="mymessage">$1</value>
</values>


Would this be the correct syntax to do this?

Is there an easier way that would perform well?

Thanks,

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

N�n�r����)em�h�yhiם�w^��