[syslog-ng] Thoughts on patterndb syntax
Matthew Hall
mhall at mhcomputing.net
Thu Oct 28 20:51:13 CEST 2010
I always dealt with the messages containing heinous characters (such as
\t and \n) by running them through a rewrite rule to strip them out and
replace them with ' ', then collecting them to an output file with this
template.
template t_raw {
template("${MSGONLY}\n");
};
After that then you can just create the PatternDB based on the content
of the file and you should be OK.
Scarier question: how do you detect multiline log messages when the logs
arrive over a TCP socket? :-)
Matthew.
On Thu, Oct 28, 2010 at 08:40:07PM +0200, Balazs Scheidler wrote:
> On Thu, 2010-10-21 at 12:26 -0400, Lars Kellogg-Stedman wrote:
> > > Interesting idea and of course doable, but then if there's indeed
> > > multiple spaces in the message, you get in trouble.
> >
> > If you were to only give linebreaks special treatment -- so that
> > "this\nthat" would become "this that" -- then you've probably solved
> > both problems; messages can be wrapped for readability and you can
> > still include arbitrary stretches of whitespace in the expression.
>
> Hmm... and what about multi-line messages? sorry to raise one problem at
> a time, but this how they come to my scattered and distracted mind.
> (after returning from Netfilter Workshop where I spent my last week,
> this week is close to horrible :)
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
More information about the syslog-ng
mailing list