Balázs, Marci, list, Op 01-03-11 20:21, Balazs Scheidler schreef:
On Sun, 2011-02-20 at 17:00 +0100, Valentijn Sessink wrote:
Op 20-02-11 14:25, Balazs Scheidler schreef:
Yes, you can, but at a cost. To match one message with two patterns, you will need two different pattern databases: parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));}; parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));}; Can you explain why you needed this? Why couldn't you do all processing in your single rule? My question came from Postfix [cut: explanation about double message trails] That really is a problem, you basically need two correllation states for the same message, while I originally envisioned one. In fact the first designs permitted this scenario as well, but the final design doesn't.
I don't understand your findings. If I'm having two db_parser entries in syslog-ng.conf, it does work, or doesn't it? But before you all start programming, please note that the very question came because I was interested in syslog-ng as a message parser for the very reason Balázs has put on his blog: getting syslog-ng to spit out evil IP addresses. The rest of my tests were only conducted to see if I understood the pattern matching; I'm not currently using an smtpd correlating state machine, and I'm pretty sure I won't need the extra complexity of an *additional* smtpd connect/disconnect correlating pattern. So, to summarize: 1) I'm pretty sure I can do without the double matching. I asked out of curiousity; I got things to work "sort-of". However... 2) If you think my solution (two db_pattern files with the same patterns) doesn't work in practice, then you might warn that there's a "collision" between these two databases. As said, having two separate db_parser files did seem to solve the problem - but I could be wrong, of course. (In which case you might want to enlighten me ;) Best regards, Valentijn