[syslog-ng] pattern matching on xxx#

[Bill Anderson]

On Oct 18, 2010, at 12:32 PM, Matthew Hall wrote:

> On Mon, Oct 18, 2010 at 12:25:50PM -0600, Bill Anderson wrote:
>> 
>> On Oct 18, 2010, at 11:48 AM, Bill Anderson wrote:
>>> 
>>> 
>>> Perhaps doing the rewrite then using a patterndb entry? I'll go try that.
>> 
>> Nope. Rewriting host1 to host-1 then calling the patterndb does not 
>> work. Reasoning: rewriting the APACHE.ROLEHOST has no effect on $MSG, 
>> which is what the patterndb gets.  Which in hindsight, I should have 
>> known.
> 
> Hi Bill,
> 
> I did try to follow your first email but it got complicated and covered 
> some areas of the syslog-ng product I have not used before so I am not 
> sure if you tried this already or not.

3.x is new to me so much if these areas are likewise new to me. :)

> 
> I was thinking maybe you might be able to help your situation by using 
> APACHE.ROLEHOST in the output file naming template. Once you have added 
> that variable to the message it should stay there despite further 
> parsings with CSV or patterndb unless overwritten.

I could, but the goal was to not use it there. Initially it would contain say host1, but in my file naming I want just "host" (a directory). And in that directory would be one access file with host1 and host2 logs written to it.

> So once you created the APACHE.ROLEHOST variable the first time using 
> CSV parser, you could still probably reference it in your arguments to 
> the file() driver or other output driver template.

I just found a way. You CAN use the rewrite set to set a new field to a parsed field. To wit:
rewrite r_set1{ set("${APACHE.ROLEHOST}", value("RHOST") ); };

This gives me the ability to instead of rewriting APACHE.ROLEHOST, to rewrite RHOST, which of course leaves APACHE.ROLEHOST intact. :D

Thus my criteria sans performance testing are met. 

Now to perf test it. :D 

Thanks to you, Martin, and Balazs.


Cheers,
Bill