On Oct 18, 2010, at 12:32 PM, Matthew Hall wrote:
On Mon, Oct 18, 2010 at 12:25:50PM -0600, Bill Anderson wrote:
On Oct 18, 2010, at 11:48 AM, Bill Anderson wrote:
Perhaps doing the rewrite then using a patterndb entry? I'll go try that.
Nope. Rewriting host1 to host-1 then calling the patterndb does not work. Reasoning: rewriting the APACHE.ROLEHOST has no effect on $MSG, which is what the patterndb gets. Which in hindsight, I should have known.
Hi Bill,
I did try to follow your first email but it got complicated and covered some areas of the syslog-ng product I have not used before so I am not sure if you tried this already or not.
3.x is new to me so much if these areas are likewise new to me. :)
I was thinking maybe you might be able to help your situation by using APACHE.ROLEHOST in the output file naming template. Once you have added that variable to the message it should stay there despite further parsings with CSV or patterndb unless overwritten.
I could, but the goal was to not use it there. Initially it would contain say host1, but in my file naming I want just "host" (a directory). And in that directory would be one access file with host1 and host2 logs written to it.
So once you created the APACHE.ROLEHOST variable the first time using CSV parser, you could still probably reference it in your arguments to the file() driver or other output driver template.
I just found a way. You CAN use the rewrite set to set a new field to a parsed field. To wit: rewrite r_set1{ set("${APACHE.ROLEHOST}", value("RHOST") ); }; This gives me the ability to instead of rewriting APACHE.ROLEHOST, to rewrite RHOST, which of course leaves APACHE.ROLEHOST intact. :D Thus my criteria sans performance testing are met. Now to perf test it. :D Thanks to you, Martin, and Balazs. Cheers, Bill