[syslog-ng] Bazsi's blog: Syslog-ng correllation
Martin Holste
mcholste at gmail.com
Thu Sep 30 21:19:16 CEST 2010
> you have to generate it. in the example above I've parsed a value out of
> the log message as $sessionid, but you can use more complex values like:
>
Ok, got it.
> ahh. I've just noted that I didn't blog about $(grep) and $(if), but
> they certainly do what they imply:
>
> $(grep filter template1 template2 template3...)
>
> searches for messages in the current correllation state matched by
> filter expression "filter" and evaluating the templates.
>
> $(if filter foo bar)
>
Cool!
> If filter is true results in foo, otherwise bar.
So, an example statement might be:
$(if ${useracct}1 == "?" ${useracct}="unknown" ${useracct}=${useracct}
Is that right? I guess I'm not understanding foo and bar in your example.
>
> Filters got extended too, now you can use simple comparison operators
> a'la perl: numeric comparison is the same as C (<, <=, ==, >=, >, !=),
> string comparison is the same as perl: lt, le, eq, ge, gt, ne
>
> You can compare templates, e.g. "$FACILITY_NUM" > "5"
>
Coupled with the inet_aton functionality you've already added, this
would mean you could do filtering based on IP ranges, right?
More information about the syslog-ng
mailing list