Ioan Indreias schreef:
For example we would like to extract 'user' and 'action' from an URL like the one mentioned below:
APP[9988]: WEB[0011]: http://abc.example.com/query.php?user=test1&action=login&host=prod1&device=d... HTTP 1.1 [...] Have somebody some hints on how to optimize the extraction of macros when them are not in an known order?
It's probably the http variables you're after, not the URL's. For example, how about: http://abc.example.com/query.php?us%65r=test1&%61ction=login&host=prod1&devi... Or even: http://abc.example.com/query.php?us%65r=%61dmin&%61ction=login&host=prod1&de... (where syslog-ng would report "user=guest" doing "nothing" on any "user=/action=" matching pattern, while the web app is happily logging you in as admin) My first thought is: don't do this in syslog-ng, because it won't tell you the things you want to know. (I could be wrong, as I don't know what your web app is about and what you're trying to extract and why). Best regards, Valentijn