Can't seem to do a simple parse
I am trying to do a very simple parsing test to reformat a message using syslog-ng 3.3.6 and I can't seem to use the value of my macro (mystring): patterndb (test.xml): <patterndb version='4' pub_date='2012-09-21'> <ruleset name='test' id='123456678'> <pattern>test</pattern> <rules> <rule provider='me' id='182437592347598' class='system'> <patterns> <pattern>@STRING:mystring: @</pattern> </patterns> </rule> </rules> </ruleset> </patterndb> pdbtool results: [root@loghost01 syslog-ng]# pdbtool match -c -D -v -p test.xml -P test -M "INSERT INTO Test (id, value) VALUES (1, .044212)" Pattern matching part: @STRING:mystring=INSERT INTO Test @ Matching part: INSERT INTO Test Values: MESSAGE=INSERT INTO Test (id, value) VALUES (1, .044212) PROGRAM=test .classifier.class=unknown TAGS=.classifier.unknown relevent syslog-ng.conf lines: source s_remote { tcp(); }; parser p_test { db-parser(file("/etc/syslog-ng/test.xml")); }; destination d_test { file("/var/log/splunk/$HOST" template("Here is the message: ${R_DATE} ${mystring}\n")); }; log { source(s_remote); parser(p_test); destination(d_test); };\n")); }; Results from logger "INSERT INTO Test (id, value) VALUES (1, .044212)" on client are: Here is the message: Sep 21 16:46:53 Value of ${mystring} is null. What am I missing?
<pattern>@STRING:mystring: @</pattern>
Results from logger "INSERT INTO Test (id, value) VALUES (1, .044212)" on client are:
Value of ${mystring} is null. What am I missing?
@STRING@ doesn´t include any whitespace. To get the complete message, use @ANYSTRING@. Otherwise have a look at @ESTRING@ and @QSTRING@ regards florian
I changed test.xml to: <patterndb version='4' pub_date='2010-10-17'> <ruleset name='test' id='123456678'> <pattern>test</pattern> <rules> <rule provider='me' id='182437592347598' class='system'> <patterns> <pattern>@ANYSTRING:mystring:@</pattern> </patterns> </rule> </rules> </ruleset> </patterndb> Pdbtool now shows: pdbtool match -c -D -v -p test.xml -P test -M "INSERT INTO Test (id, value) VALUES (1, .044212)" Pattern matching part: @ANYSTRING:mystring=INSERT INTO Test (id, value) VALUES (1, .044212)@ Matching part: INSERT INTO Test (id, value) VALUES (1, .044212) Values: MESSAGE=INSERT INTO Test (id, value) VALUES (1, .044212) PROGRAM=test .classifier.class=system .classifier.rule_id=182437592347598 mystring=INSERT INTO Test (id, value) VALUES (1, .044212) TAGS= So pdbtool extracts the value but: source s_remote { tcp(); }; parser p_test { db-parser(file("/etc/syslog-ng/test.xml")); }; destination d_test { file("/var/log/splunk/$HOST" template("Here is the message: ${R_DATE} ${mystring}\n")); }; log { source(s_remote); parser(p_test); destination(d_test); };\n")); }; Still outputs to logfile: Here is the message: Sep 21 18:56:21 Still no value in output for ${mystring} -----Original Message----- From: system@ra-schaal.de [mailto:system@ra-schaal.de] Sent: Friday, September 21, 2012 2:43 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Can't seem to do a simple parse <pattern>@STRING:mystring: @</pattern>
Results from logger "INSERT INTO Test (id, value) VALUES (1, .044212)" on client are:
Value of ${mystring} is null. What am I missing?
@STRING@ doesn´t include any whitespace. To get the complete message, use @ANYSTRING@. Otherwise have a look at @ESTRING@ and @QSTRING@ regards florian
participants (2)
-
system@ra-schaal.de
-
Tracy Dalzell