syslog-ng 3.4.0 parserdb on other than MESSAGE
OK, from what Balazs writes below I guess it is not possible to use the parserdb functionality on the "$HOST $PROGRAM" contents. Can someone confirm this is the case? If it can be done, a quick pointer please. If it can not be done, but I want to, how can I do it? rewrite { set("$MSG" value("orig.message")); set("$HOST($PROGRAM)" value("MESSAGE")); } parser(pattern_host_program); rewrite { set("$orig.message" value("MESSAGE")); set("" value("orig.message")); } parser(pattern_message); ... all of my filters, log statements etc. Evan. ________________________________________ From: Balazs Scheidler [bazsi77@gmail.com] Sent: Saturday, December 22, 2012 6:50 AM To: Syslog-ng users' and developers' mailing list; Evan Rempel Subject: Re: [syslog-ng] syslog-ng 3.4.0beta1 has been released ----- Original message -----
I thought that 3.4 was going to include
- junctions so that results of multiple parsers could be combined
it is in.
- the ability to run a parser against a user defined macro rather than always parsing the complete MESSAGE marcro.
csvparser has a template() option, but dbparser doesn't (though that's trivial to add). what I had in mind (fully n dimensional patterndb) wasn't finished, and I didn't want to wait any longer.
Did these features fail to make it into 3.4 or is the documentation just missing these items?
docs is not yet competely updated. contributions would be welcome there too.
----- Original message -----
OK, from what Balazs writes below I guess it is not possible to use the parserdb functionality on the "$HOST $PROGRAM" contents.
Can someone confirm this is the case? If it can be done, a quick pointer please.
If it can not be done, but I want to, how can I do it?
rewrite { set("$MSG" value("orig.message")); set("$HOST($PROGRAM)" value("MESSAGE")); } parser(pattern_host_program); rewrite { set("$orig.message" value("MESSAGE")); set("" value("orig.message")); } parser(pattern_message);
this one should work, except for one thing. Values with dots in their name has to be enclosed by braces. eg. ${orig.message} but I'd really add the template option, that's much easier.
... all of my filters, log statements etc.
Hi, Slightly tested patch against syslog-ng 3.4 attached. It was slightly more involved than I've thought, but still not more than half an hour. Since I've handed over maintenance of 3.4 to Algernon, it's his call whether he integrates it there. I'm going to pick this for 3.5. On Tue, 2013-01-15 at 07:24 +0100, Balazs Scheidler wrote:
----- Original message -----
OK, from what Balazs writes below I guess it is not possible to use the parserdb functionality on the "$HOST $PROGRAM" contents.
Can someone confirm this is the case? If it can be done, a quick pointer please.
If it can not be done, but I want to, how can I do it?
rewrite { set("$MSG" value("orig.message")); set("$HOST($PROGRAM)" value("MESSAGE")); } parser(pattern_host_program); rewrite { set("$orig.message" value("MESSAGE")); set("" value("orig.message")); } parser(pattern_message);
this one should work, except for one thing. Values with dots in their name has to be enclosed by braces.
eg. ${orig.message}
but I'd really add the template option, that's much easier.
... all of my filters, log statements etc.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Balazs Scheidler <bazsi@balabit.hu> writes:
Slightly tested patch against syslog-ng 3.4 attached. It was slightly more involved than I've thought, but still not more than half an hour.
Since I've handed over maintenance of 3.4 to Algernon, it's his call whether he integrates it there. I'm going to pick this for 3.5.
I'll likely pick the patch for 3.4 too, as it appears to be fairly straightforward, and reasonably isolated, yet, it implements something that's worth breaking the bugfix-only rule. If all goes well, this will be in the RC2 I'm about to release later today. -- |8]
participants (4)
-
Balazs Scheidler
-
Balazs Scheidler
-
Evan Rempel
-
Gergely Nagy