[syslog-ng] Bazsi's blog: Syslog-ng correllation
Balazs Scheidler
bazsi at balabit.hu
Wed Oct 6 16:06:24 CEST 2010
On Thu, 2010-09-30 at 14:19 -0500, Martin Holste wrote:
> > you have to generate it. in the example above I've parsed a value out of
> > the log message as $sessionid, but you can use more complex values like:
> >
>
> Ok, got it.
>
> > ahh. I've just noted that I didn't blog about $(grep) and $(if), but
> > they certainly do what they imply:
> >
> > $(grep filter template1 template2 template3...)
> >
> > searches for messages in the current correllation state matched by
> > filter expression "filter" and evaluating the templates.
> >
> > $(if filter foo bar)
> >
>
> Cool!
Thanks. I take this as a compliment. :) In fact I do like template
functions a lot. If only I had a scripting engine embedded into
syslog-ng to make it extending really easy.
But anyway, writing a template function in C is as easy as possible.
>
> > If filter is true results in foo, otherwise bar.
>
> So, an example statement might be:
>
> $(if ${useracct}1 == "?" ${useracct}="unknown" ${useracct}=${useracct}
>
> Is that right? I guess I'm not understanding foo and bar in your example.
the foo and bar parts are what the $(if) constructs expands to if the
result of the filter evaluation is true / false respectively.
I'm afraid but I can't understand your example.
>
> >
> > Filters got extended too, now you can use simple comparison operators
> > a'la perl: numeric comparison is the same as C (<, <=, ==, >=, >, !=),
> > string comparison is the same as perl: lt, le, eq, ge, gt, ne
> >
> > You can compare templates, e.g. "$FACILITY_NUM" > "5"
> >
>
> Coupled with the inet_aton functionality you've already added, this
> would mean you could do filtering based on IP ranges, right?
Yes.
--
Bazsi
More information about the syslog-ng
mailing list