On Fri, Apr 11, 2014 at 10:10 PM, David Hauck <davidh@netacquire.com> wrote:
Hi Viktor,
On Friday, April 11, 2014 1:01 PM, syslog-ng-bounces@lists.balabit.huwrote:
Hi David!
If a log message does not match any pattern for a parser, syslog-ng db-parser sets its .classifier.class to "unknown" regardless of the field's previous state. So if it matched on a previous parser, the next parser will overwrite it if it doesn't match on that. I think it's a bug rather than a feature, so could you please open an issue for that on github?
Sure, I can do that (although I can imagine a potential valid semantic for wanting this to behave either way).
Perhaps then we should make this switchable and the default should be the current behaviour. You're right, I forgot that changing behaviour could break existing configs :(.
You can merge patterndb .pdb files easily with "pdbtool merge" command, which is shipped with syslog-ng. It's simpler than having junctions :).
:) OK, that's an option too (although I also like splitting these out into individual files and not having to run the merge whenever an individual file is modified).
Cheers, -David
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq