[syslog-ng] db-parser issues
Balazs Scheidler
bazsi at balabit.hu
Wed Jun 3 11:26:20 CEST 2009
On Tue, 2009-06-02 at 12:42 +0200, Jakub Jankowski wrote:
> On 2009-06-02, Robert Fekete wrote:
>
> > I think the problem is that you define a pattern in your xml for the program
> > as well:
> >> <program name='logger'>
> >> <pattern>param</pattern>
> > The <pattern> tag overrides the <program name>, so instead of logger,
> > syslog-ng thinks this rule applies to messages that have "param" in their
> > PROGRAM field.
>
> In addition to what you've quoted above, I also tried:
>
> 1. <program name='logger'>
> <pattern>logger</pattern>
>
> 2. <program name='somethingirrelevant'>
> <pattern>logger</pattern>
>
> and even without <pattern>:
>
> 3. <program name='logger'>
>
>
> All of these give me the same result - no match. Any other suggestions?
Sorry for not answering any sooner. I was somewhat distracted by other
things (like preparing my presentation for Nordic Nagios Meet where I'm
sitting right now :)
The attribute value of the name attribute in the program element serves
only to document the database, it is not used for matching.
The important part is <pattern></pattern> inside the program element.
I tested your db snippet, and the problems were:
* if you don't specify, logger will send "<someone>" as the program
name, so please use "logger -t logger"
* you need to specify "logger" enclosed in "pattern" tags.
In that way I got your pattern to match.
Robert has worked on documenting db-parser(), I just didn't have time to
review it yet, however he told me he'd publish a draft of the
documentation, so you can have it earlier, and possible fix
omissions/problems.
Robi, can you post the URL for the draft docs here?
--
Bazsi
More information about the syslog-ng
mailing list