Hello, On 10/14/2010 08:59 AM, Matthew Hall wrote:
Basically, depending on the situation, you can: 1) use syslog-ng parser(s) to match the program name and then reclassify the messages using a rule based on checking the value in the program name parser(s)
2) use a substring of the program name which starts the program's name in each case. This should work for postfix since each subdaemon's name begins with 'postfix/'.
3) leave the program name blank, and then that pattern DB becomes a 'fallback' DB which is checked for any messages nothing else can classify. This is what I've chosen to do for the brain damaged programs I need to support. So far I haven't noticed a performance problem but I only loaded the system lightly.
Option 1) needs changes also in syslog-ng.conf, so it's not good as a general solution. Option 3) looks ugly too, and might be slower / less reliable when a large number of patterns are used. So far 2) seems to be the most useful for general use. This can handle postfix/* and imapd*. I still wonder how to handle when then same $PROGRAM is used for different applications, like "imapd" for both wu-imapd and courier-imapd. First I thought, that all should go to the same imapd.pdb, but under different rulesets. But that has a problem: courier is not just imap, but also a pop3 server. Also http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=README.txt;h... says, that "Applications are grouped by their respective function and each application gets a single file that lists all the patterns of that application." So it would be more appropriate to rename imapd.pdb to wu-imapd.pdb (as it would only have patterns for Washington University IMAPd), and have a separate courier.pdb, or even courier-imapd.pdb and courier-pop3d.pdb. What do you think? Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/