Hi Fabien, Thanks for your response. I was using this snippet of code (taken from documentation) before, but doesn't seem to work either: *value("MESSAGE" "$(format-json .auditd.*)")* So how do I output an aggregated message to the test.json file ? Or any file. I apologize if my questions are basic, but I had a hard time finding answers in documentation. Grouping-by() function could definitely use more explanation. Kind regards Maciej wt., 3 lis 2020 o 13:05 Fabien Wernli <wernli@in2p3.fr> napisał(a):
Hi Maciek,
On Tue, Nov 03, 2020 at 12:24:40PM +0100, Maciek Solnicki wrote:
* destination {* * file('/tmp/test.json' template("$(format-json .auditd.*)\n"));* * };* *};*
This means you're outputting the contents of all `.auditd.` macros to file test.json.
But your grouping-by parser generates a message with the macro MESSAGE set to the value "TEST" :
* grouping-by(* * key("${.auditd.msg}")* * timeout(10)* * aggregate(value("MESSAGE" "TEST"))* * );*
So you won't see it in test.json. Well, more exactly you should see it as the default value of aggregate(inherit-mode()) is "context", but you won't see the MESSAGE:TEST macro as you're omitting it from your output. I'm guessing you should see a message twice in that case.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq