[syslog-ng] Bazsi's blog: syslog-ng correllation updated

[Balazs Scheidler]

On Tue, 2010-10-12 at 09:50 -0500, Martin Holste wrote:
> Thanks for the examples, this helps.  However, I do have a question.
> The best use I can think of for this is to correlate our email gateway
> logs, which currently spew about 20 log entries per email.  I'd love
> for all of the data to be printed out in one line like you've
> demonstrated the action feature can accomplish.  The problem that I
> foresee is that many log entries do not have $PID available, just
> $HOST and $PROGRAM, and that will not be unique enough.  Our mail
> gateways have message ID's built into the log entry, but it would have
> to be parsed out with a pattern.  Can this be done and still work
> within the system you've created?  If so, can you show an example?

Yes, sure. context-id attribute can contain values parsed outside the
message.

e.g. if you have parsed out the queue-id from the log that groups the
log messages, you can use:

context-scope="host" context-id="mail-correllation:${queue_id}"

Assuming that even the $PROGRAM value varies between lines. If that
stays the same, you could probably use context-scope="program".


-- 
Bazsi