[syslog-ng] Not able to match on a field in syslog messagesfrom a DataPower Appliance
Geller, Sandor (IT)
Sandor.Geller at morganstanley.com
Thu Jul 17 16:39:31 CEST 2008
Hi,
> >USER.DEBUG: Jul 15 18:23:44 DPRASSyslogAudit3 [system][debug]
> >trans(383): cpu usage: 57%(10 sec) 57%(1 min) 57%(10
> >min) 56%(1 hour) 58%(1 day)
> >
> >In syslog wire protocol the field immediately after the
> >timestamp is the hostname, so this message would be
> >interpreted as being from a host called DPRASSyslogAudit3.
> >Your filters are not matching these messages because match()
> >only matches elements of the message body and the text you're
> >looking for does not appear in the message body.
> >
> >Joe.
>
> That's actually what thought (but forgot to mention in my earlier
> email), but when I try to match on host it doesn't catch anything
> either. Neither of these catch anything:
>
> filter group_syncDPextest {
> host("DP[:digit:]+Syslog")
> or host("DPRASSyslogAudit[:digit:]+")
> ;};
Correct me if I'm wrong but [:digit:] isn't exactly what you're after.
Use [[:digit:]] instead.
Regards,
Sandor
--------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
More information about the syslog-ng
mailing list