Ok i must use ANYSTRING but for use it i need the 3.1 version but i can't compile it... I download the snapshot from git-web but when i try to "make" but afsql.c:36:21: error: dbi/dbi.h: No such file or directory i download the wrong version? Thank, Jacopo 2009/7/14 Balazs Scheidler <bazsi@balabit.hu>:
On Mon, 2009-07-13 at 19:59 +0200, ILLES, Marton wrote:
Hi,
First you should simply try a pattern like this:
<pattern>@ESTRING:id_message: @</pattern>
This would match your line and would extract the message id. Than you can work on extending it. Also probably the easiest option is to use the @ANYSTRING@ parser which would match everything till the end of the message. It is available in the 3.1 git tree:
http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=c22ee8dad59b56b9...
So your pattern would look something like this:
<pattern>@ESTRING:id_message: @@ANYSTRING:rest@</pattern>
In the sql statement you can than use the ${id_message} and ${rest} macros. (Note that ANYSTRING is available only in the 3.1 tree which uses the newer patterndb format!)
let me know if it works.
I didn't have time to completely integrate your patterndb v2 patches, so it still sits in a local branch and not on master.
But ANYSTRING is already there.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Linux, Windows Xp ed MS-DOS (anche conosciuti come il Bello, il Brutto ed il Cattivo). -- Matt Welsh