[syslog-ng] Bazsi's blog: Syslog-ng correllation

Balazs Scheidler bazsi at balabit.hu
Thu Sep 30 08:16:20 CEST 2010 

On Wed, 2010-09-29 at 11:16 -0500, Martin Holste wrote:
> This is powerful stuff!  I'm really looking forward to exploring all
> of the ways it can be used.  The Postfix usage example is a great one.
>  One clarification: is $sessionid autogenerated by Syslog-NG, or do we
> have to create it ourselves using tuples from the messages?  I'm
> assuming it'll use something akin to the $SEQNUM macro.

you have to generate it. in the example above I've parsed a value out of
the log message as $sessionid, but you can use more complex values like:

$HOST:$PID is usually good, but in other cases the log messaeg contains
an explicit session id (postfix messageid for example).

> 
> One other question, can you join an entire preceding message by using
> something like ${MSG}@0?  

@0 is the current message, but template functions get a chance to do
with the complete correlation state, thus $(grep) is iterating over all
messages. We do have $(echo) but that's intentionally as simple as
possible, it only uses the last message.

hmm.. something like $(grep ("a" == "a") $MSG) would do the trick, but
may not be the the most intuitive to write.

ahh. I've just noted that I didn't blog about $(grep) and $(if), but
they certainly do what they imply:

$(grep filter template1 template2 template3...)

searches for messages in the current correllation state matched by
filter expression "filter" and evaluating the templates.

$(if filter foo bar)

If filter is true results in foo, otherwise bar.

Filters got extended too, now you can use simple comparison operators
a'la perl: numeric comparison is the same as C (<, <=, ==, >=, >, !=),
string comparison is the same as perl: lt, le, eq, ge, gt, ne

You can compare templates, e.g. "$FACILITY_NUM" > "5"

> If so, it would be great if there were a
> built-in to say all preceding messages, like ${MSG}@-1 or @ALL or
> something, but I guess that's getting a little more app-level than I'd
> prefer.

it depends if you want all name-value pairs, or just a single name-value
pair. we just have to come up with names for the various functions. they
are all possible and simple to do.

-- 
Bazsi

More information about the syslog-ng mailing list