Hi Viktor, On Friday, April 11, 2014 1:01 PM, syslog-ng-bounces@lists.balabit.hu wrote:
Hi David!
If a log message does not match any pattern for a parser, syslog-ng db-parser sets its .classifier.class to "unknown" regardless of the field's previous state. So if it matched on a previous parser, the next parser will overwrite it if it doesn't match on that. I think it's a bug rather than a feature, so could you please open an issue for that on github?
Sure, I can do that (although I can imagine a potential valid semantic for wanting this to behave either way).
You can merge patterndb .pdb files easily with "pdbtool merge" command, which is shipped with syslog-ng. It's simpler than having junctions :).
:) OK, that's an option too (although I also like splitting these out into individual files and not having to run the merge whenever an individual file is modified). Cheers, -David