Perfect, thanks! On Fri, Oct 15, 2010 at 3:14 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Tue, 2010-10-12 at 09:50 -0500, Martin Holste wrote:
Thanks for the examples, this helps. However, I do have a question. The best use I can think of for this is to correlate our email gateway logs, which currently spew about 20 log entries per email. I'd love for all of the data to be printed out in one line like you've demonstrated the action feature can accomplish. The problem that I foresee is that many log entries do not have $PID available, just $HOST and $PROGRAM, and that will not be unique enough. Our mail gateways have message ID's built into the log entry, but it would have to be parsed out with a pattern. Can this be done and still work within the system you've created? If so, can you show an example?
Yes, sure. context-id attribute can contain values parsed outside the message.
e.g. if you have parsed out the queue-id from the log that groups the log messages, you can use:
context-scope="host" context-id="mail-correllation:${queue_id}"
Assuming that even the $PROGRAM value varies between lines. If that stays the same, you could probably use context-scope="program".
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html