On Fri, 2011-08-05 at 14:08 +0200, Remy Zandwijk wrote:
Hi list,
so, I am new to syslog-ng and I am struggling with the features regexp/store-matches and csv-parser macros. I searched the web and mailinglist archive for these two subjects, but that didn't answer my questions. The syslog-ng 3.1.3 I'm using is running on Debian Squeeze.
filter f_mytest { facility(local0) and level(debug) and match("^www" value("MSGHDR") flags("store-matches")); };
template t_mytest { template("${MSG}--${1}\n"); }
destination d_mytest { file("/var/tmp/mytest.log"); };
log { source(s_src); filter(f_mytest); template(t_mytest); destination(f_mytest); };
When I send a message to syslog-ng with: logger -p local0.debug -t www testmessage nothing appears in the logfile. However, when flags("store-matches") is omitted, the message appears like expected. Why does this filter not work?
I am playing around with the csv-parser function as well. The (user-defined) macros can be used in file() functions, but I found out that they don't work in owner() and group() functions. Is that expected?
Ops, I've forget this part of your question. owner() and group() do not support template expansion, so they can't contain information derived from the log messages. It'd be quite complicated to do and I'd say also quite fragile, and security-wise not very good: can you really trust the log message that so much, that you'd set the access rights of log files based on them? -- Bazsi