[syslog-ng] Regex subpattern macros [1.9.9]
Mel Collins
mel.collins at monstermob.com
Tue Mar 7 19:18:08 CET 2006
Hi,
I'm using syslog-ng's match filter to extract parts of messages for use in
parts of the destination; specifically in the log file name and template
sections.
The messages sent to syslog-ng for this purpose are all of the format:
"<filename> <message>" (plus whatever sl-ng prepends).
.conf extract:
filter f_logsplitter { match ("^.*?: ([^ ]*) (.*)$"); };
destination d_logfiles {
file ("/our/logs/$1"
template ("$2\n")
...
etc.
Eg. For the message "root: foo/bar.log some text", the log
file /our/logs/foo/bar.log gets "some text" appended to it.
Now this seems to work fine for low traffic, but if I send 10k messages in a
tight loop - either locally or remotely via TCP - $2 contains the wrong
string for many/most of them, eg:
07/03/2006 16:56:34 SEEK #3
07/03/2006 16:56:35 SEEK #3
07/03/2006 16:56:35 SEEK #3
07/03/2006 16:56:35 SEEK #7
07/03/2006 16:56:35 SEEK #7
07/03/2006 16:56:35 SEEK #7
07/03/2006 16:56:35 SEEK #7
07/03/2006 16:56:35 SEEK #8
07/03/2006 16:56:35 SEEK #11
07/03/2006 16:56:35 SEEK #11
07/03/2006 16:56:35 SEEK #11
...where the #number should be consecutive.
If I use $MSGONLY, or such, the correct message line is used.
It seems to me like the subpattern macros - $1, $2, etc - aren't maintained
on a per-message basis, but are global..?
Given that they aren't documented (that I can find), are the presence of $1,
etc. an unintended side-effect of using a regex? Am I doing something I
shouldn't by using them?
Or did I find me a bug? ;o)
Takk,
- Mel C
More information about the syslog-ng
mailing list