[syslog-ng] advice/assistance with parsing attempt requested

Mon Dec 6 12:18:01 CET 2010

i've spent the better part of the past week reading and trying to 
understand both the documentation and list posts trying to sort 
this out, if anyone can offer some advice as to whether this is 
possible or not and if so, what i'm doing wrong; i would really 
appreciate it! …

i have a simple enough task, or so i thought! i've got a syslog 
stream being received by syslog-ng with too much data. what i'd 
like to do is parse out pieces of the stream and write only those 
to a file. the tricky part is that the order of the stream is very 
variable so that sometimes the desired named parser preceding 
strings and associated values are present and sometimes not. 
furthermore, the extra data is also quite variable. can this 
challenge even be addressed with syslog-ng ose? if so, can it be 
done with patterned without creating a pattern for EVERY variation 
of possible streams? for clarification, we've tried to leverage an 
external perl script which does this using regexs but, it seems 
that it can't keep up with the stream, we only receive 10% of the 
original events in the output. if this (external parsing script) 
only way this can be done, we will continue our efforts to enhance 
the external script but, if this is possible to be done natively 
within syslog-ng, i'd rather do that.

with the following configuration, i am able to generate output log 
entries which correctly contain the global macros of $DATE 
$FULLHOST $PROGRAM as well as the strings preceding the named 
parser variables but, not the named parser macros. my output looks 
like this:

Dec 2 11:11:11 127.0.0.1 ABC: 0 namedparser1= namedparser2= 
namedparser3= namedparser4= namedparser5=

*****examples of entries in source stream*****

Dec 2 11:11:11 127.0.0.1 ABC: 0 namedparser1=namedparser1value 
extra1=extravalue1 namedparser2=namedparser2value 
namedparser3=namedparser3value extra2=extravalue2 
namedparser4=namedparser4value namedparser5=namedparser5value 
extra3=extravalue3

Dec 2 11:11:11 127.0.0.1 ABC: 0 extra1=extravalue1 
namedparser3=namedparser3value extra2=extravalue2 
namedparser4=namedparser4value namedparser5=namedparser5value 
extra3=extravalue3 extra4=extravalue4

Dec 2 11:11:11 127.0.0.1 ABC: 0 namedparser1=namedparser1value 
extra1=extravalue1 namedparser2=namedparser2value 
namedparser3=namedparser3value extra2=extravalue2 
namedparser4=namedparser4value extra3=extravalue3

*****examples of desired output*****

Dec 2 11:11:11 127.0.0.1 ABC: 0 namedparser1=namedparser1value 
namedparser2=namedparser2value namedparser3=namedparser3value 
namedparser4=namedparser4value namedparser5=namedparser5value

Dec 2 11:11:11 127.0.0.1 ABC: 0  namedparser3=namedparser3value 
namedparser4=namedparser4value namedparser5=namedparser5value

Dec 2 11:11:11 127.0.0.1 ABC: 0 namedparser1=namedparser1value 
namedparser2=namedparser2value namedparser3=namedparser3value 
namedparser4=namedparser4value

*****included in conf file*****

parser pattern_db {
	db_parser(file("/opt/syslog-ng/config/patterndb.xml")
};

template reduced {
	template("$DATE $FULLHOST $PROGRAM: 0 namedparser1=$NAMEDPARSER1 
namedparser2=$NAMEDPARSER2 namedparser3=$NAMEDPARSER3 
namedparser4=$NAMEDPARSER4 namedparser5=$NAMEDPARSER5 \n");
	template_escape(no);
}

destination d_logfile {
	file("/opt/syslog-ng/logs/logfile" template(reduced));
}

log {
	source(source);
	parser(pattern_db);
	destination(d_logfile);
};

*****patterndb.xml contents*****

<patterndb version='3' pub_date=''>
	<ruleset name='globe' id='1234567890'>
		<pattern>ABC</pattern>
			<rules>
				<rule provider='someone' id='123' class='system'>
					<patterns>
						<pattern>ABC namedparser1=@ESTRING:NAMEDPARSER1:\  @ 
namedparser2=@ESTRING:NAMEDPARSER2:\ @ 
namedparser3=@ESTRING:NAMEDPARSER3:\ @ 
namedparser4=@ESTRING:NAMEDPARSER4:\ @ 
namedparser5=@ESTRING:NAMEDPARSER5:\ @</pattern>
					<patterns>
				</rule>
			<rules>
	</ruleset>
</patterndb>

MANY thanks in advance!