On Thu, 2010-10-14 at 12:12 +0200, Peter Czanik wrote:
Hello,
On 10/14/2010 08:59 AM, Matthew Hall wrote:
Basically, depending on the situation, you can: 1) use syslog-ng parser(s) to match the program name and then reclassify the messages using a rule based on checking the value in the program name parser(s)
2) use a substring of the program name which starts the program's name in each case. This should work for postfix since each subdaemon's name begins with 'postfix/'.
3) leave the program name blank, and then that pattern DB becomes a 'fallback' DB which is checked for any messages nothing else can classify. This is what I've chosen to do for the brain damaged programs I need to support. So far I haven't noticed a performance problem but I only loaded the system lightly.
Option 1) needs changes also in syslog-ng.conf, so it's not good as a general solution. Option 3) looks ugly too, and might be slower / less reliable when a large number of patterns are used. So far 2) seems to be the most useful for general use. This can handle postfix/* and imapd*. I still wonder how to handle when then same $PROGRAM is used for different applications, like "imapd" for both wu-imapd and courier-imapd. First I thought, that all should go to the same imapd.pdb, but under different rulesets. But that has a problem: courier is not just imap, but also a pop3 server. Also http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=README.txt;h... says, that "Applications are grouped by their respective function and each application gets a single file that lists all the patterns of that application." So it would be more appropriate to rename imapd.pdb to wu-imapd.pdb (as it would only have patterns for Washington University IMAPd), and have a separate courier.pdb, or even courier-imapd.pdb and courier-pop3d.pdb. What do you think?
you should use separate files based on the brand/name of the product and both should use imapd as the program name pattern. The rules will be merged internally by syslog-ng, but I guess the messages themselves are different enough to make a distinction. Or if not, hopefully the same-looking messages also serve the same purpose. Also please note that you can use multiple <pattern> tags for a given ruleset, e.g. <ruleset ...> <patterns> <pattern>imapd</pattern> <pattern>imapd-ssl</pattern> </patterns> </ruleset> Also, program names, just like messages use the longest prefix match, so as Matthew has put it, you can always use the longest unique prefix. And also, you can also use parsers within the program name pattern if that helps somehow. -- Bazsi