[syslog-ng] Filtre empty program

G R ng.syslogng at gmail.com
Fri Aug 29 10:00:05 CEST 2008 

I've think I've found a solution.
If the attribute program is empty, then the attributes $MSG and $MSGONLY
should be equals.
The filter function match() try to match the $MSG or $MSGONLY ?

Trying this doesn't work, but I think this can be the beginning of the
solution :

match($MSGONLY)
or,
match($MSG)
depending on wich $MSG or $MSGONLY the filter function applies.

2008/8/29 G R <ng.syslogng at gmail.com>

> I've look at the program field and it's empty.
> It seems that syslog-ng try to find the attribute program before ":" and my
> logs starts with this ":". Printing the progam attribute in my log show me
> that this attribute is really empty.
> So I'd like to make a filter using a matcher for the ":" of the message and
> another matcher on the empty program attribute.
>
> 2008/8/29 Geller, Sandor (IT) <Sandor.Geller at morganstanley.com>
>
> Hi,
>>
>> > I got something in the message that can help, but I'd like to
>> > use it with the empty program attribute (being as specific as
>> > possible).
>> >
>> > So there is no way to filtre an empty program attribute?
>>
>> I don't think so. When syslog-ng parses the log it has to guess
>> what format is applied to the log line, so it will fill in the
>> program field with the first string which is right after the
>> priority date hostname triplet. So I think at least one word
>> of your log will end up in the program field, and it isn't
>> available for match() later... You could workaround this by
>> combining the program() and the match() into a single filter,
>> or use an external program to do the filtering.
>>
>> Regards,
>>
>> Sandor
>> --------------------------------------------------------
>>
>> NOTICE: If received in error, please destroy and notify sender. Sender
>> does not intend to waive confidentiality or privilege. Use of this email is
>> prohibited when received in error.
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080829/b890f298/attachment.htm

More information about the syslog-ng mailing list