[syslog-ng] Bazsi's blog: syslog-ng correllation updated

[Martin Holste]

Perfect, thanks!

On Fri, Oct 15, 2010 at 3:14 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:
> On Tue, 2010-10-12 at 09:50 -0500, Martin Holste wrote:
>> Thanks for the examples, this helps.  However, I do have a question.
>> The best use I can think of for this is to correlate our email gateway
>> logs, which currently spew about 20 log entries per email.  I'd love
>> for all of the data to be printed out in one line like you've
>> demonstrated the action feature can accomplish.  The problem that I
>> foresee is that many log entries do not have $PID available, just
>> $HOST and $PROGRAM, and that will not be unique enough.  Our mail
>> gateways have message ID's built into the log entry, but it would have
>> to be parsed out with a pattern.  Can this be done and still work
>> within the system you've created?  If so, can you show an example?
>
> Yes, sure. context-id attribute can contain values parsed outside the
> message.
>
> e.g. if you have parsed out the queue-id from the log that groups the
> log messages, you can use:
>
> context-scope="host" context-id="mail-correllation:${queue_id}"
>
> Assuming that even the $PROGRAM value varies between lines. If that
> stays the same, you could probably use context-scope="program".
>
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>