[syslog-ng] Logging all message metadata
Martin Holste
mcholste at gmail.com
Tue Oct 26 05:41:17 CEST 2010
I don't think you understood the third option, which does do that,
though only for a finite number of fields. If you use generic names
for your extractions "@NUMBER:i0:@ @NUMBER:i1:@ @ESTRING:s0:%@ etc.
then your single template works for any message:
template("$R_UNIXTIME\t$SOURCEIP\t$PROGRAM\t${.classifier.class}\t${.classifier.rule_id}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n");
As long as no pattern extraction uses a name other than i0-s5, you're
good to go.
On Mon, Oct 25, 2010 at 10:32 PM, Lars Kellogg-Stedman <lars at oddbit.com> wrote:
>> There are a couple of ways you can handle this:
>
> These are all useful suggestions, but I'm still stuck with the root of
> the problem -- I don't know how to get "all the metadata" associated
> with a message using any of the existing output drivers. Anything
> using templates I need to explicitly define the content of the
> message, and the sql() driver, as you point out, also requires
> explicitly selecting metadata.
>
> Neither of these allow me access to any and all information generated
> by the parsing engine -- which may change periodically as I updated
> the pattern database.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list