All right, replying to myself: Valentijn Sessink schreef:
1) @ESTRING:postfix.remotehost:[@@IPvANY:postfix.remoteip@]</pattern>
I probably had a typo in the original pattern; as far as I can see, it does work with two consecutive pattern parsers.
2) The syslog-ng OSE admin guide tells me to use @QSTRING:<>@ to match the
This is a bit unclear in the documentation. The documentation just mentions the QSTRING:<> match, while naturally, the < and > need to be escaped (< and >).
3) My third question boils down to: is it possible to correlate *one* single message into *two* separate trails?
Yes, you can, but at a cost. To match one message with two patterns, you will need two different pattern databases: parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));}; parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));}; Then, in the log {} entry, specify parser(db1) for the first pattern; and parser(db2) for the second. This seems to work as expected. Trying to match with identical patterns in one database won't work (for technical reasons). Valentijn