[syslog-ng] Struggling with regexp, store-matches and csv-parser macros

Balazs Scheidler bazsi at balabit.hu
Sun Aug 14 16:34:46 CEST 2011


On Fri, 2011-08-05 at 14:08 +0200, Remy Zandwijk wrote:
> Hi list,
> 
> so, I am new to syslog-ng and I am struggling with the features
> regexp/store-matches and csv-parser macros. I searched the web and
> mailinglist archive for these two subjects, but that didn't answer my
> questions. The syslog-ng 3.1.3 I'm using is running on Debian Squeeze.
> 
> filter f_mytest {
>     facility(local0) and
>     level(debug) and
>     match("^www" value("MSGHDR") flags("store-matches"));
> };
> 
> template t_mytest {
>     template("${MSG}--${1}\n");
> }
> 
> destination d_mytest {
>     file("/var/tmp/mytest.log");
> };
> 
> log {
>     source(s_src);
>     filter(f_mytest);
>     template(t_mytest);
>     destination(f_mytest);
> };
> 
> 
> When I send a message to syslog-ng with: logger -p local0.debug -t www
> testmessage
> nothing appears in the logfile. However, when flags("store-matches")
> is omitted, the message appears like expected. Why does this filter
> not work?
> 
> 
> I am playing around with the csv-parser function as well. The
> (user-defined) macros can be used in file() functions, but I found out
> that they don't work in owner() and group() functions. Is that
> expected?

Ops, I've forget this part of your question. owner() and group() do not
support template expansion, so they can't contain information derived
from the log messages.

It'd be quite complicated to do and I'd say also quite fragile, and
security-wise not very good: can you really trust the log message that
so much, that you'd set the access rights of log files based on them?

-- 
Bazsi




More information about the syslog-ng mailing list