On Tue, Aug 03, 2010 at 02:39:38PM +0200, Balazs Scheidler wrote:
Well, if you want to look at the result of the message parsing exactly as done by syslog-ng, you could use a noop rewrite rule and enable debugging (though it is not recommended to be done in a production server):
rewrite r_noop { set("$MESSAGE"); };
This would set $MESSAGE to $MESSAGE, but at the end of the rewrite rule, syslog-ng would emit a debug message about the contents of the MESSAGE name-value pair.
Unfortunately I can't even get that far because the beginning of my message patterns is not matching up against whatever syslog-ng is using to do the pattern match, so I am not going to get any name value pairs out.
Alternatively, you may still be able to use "pdbtool match" which can read a log file, parse it with syslog-ng's message parser and report the results per name-value pair.
$ pdbtool match -f /var/log/auth.log -p access/sshd.pdb | head -10 HOST=bzorp MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) PROGRAM=CRON PID=7362 LEGACY_MSGHDR=CRON[7362]: .classifier.class=unknown
...
This uses the normal BSD syslog parser to read the file (thus if you are using no-parse flag, or RFC5424 format log files, that may differ)
How do I create a file in this BSD format the pdbtool expects? Right now I am using syslog-ng output files as input to my patternizing scripts, but I think I am not stripping off the right things at the beginning of the lines in these files (either too much or too little). Is there some option I can use to store just the part it would send to the pattern matcher so that I can have input to my patternizer which looks exactly like what the daemon is going to match during the pattern match for each message?
-- Bazsi
Thanks, Matthew.