I don't think you understood the third option, which does do that, though only for a finite number of fields. If you use generic names for your extractions "@NUMBER:i0:@ @NUMBER:i1:@ @ESTRING:s0:%@ etc. then your single template works for any message: template("$R_UNIXTIME\t$SOURCEIP\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); As long as no pattern extraction uses a name other than i0-s5, you're good to go. On Mon, Oct 25, 2010 at 10:32 PM, Lars Kellogg-Stedman <lars@oddbit.com> wrote:
There are a couple of ways you can handle this:
These are all useful suggestions, but I'm still stuck with the root of the problem -- I don't know how to get "all the metadata" associated with a message using any of the existing output drivers. Anything using templates I need to explicitly define the content of the message, and the sql() driver, as you point out, also requires explicitly selecting metadata.
Neither of these allow me access to any and all information generated by the parsing engine -- which may change periodically as I updated the pattern database. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html