[syslog-ng] Impossibility to use multiple occurences of the same parser
Guillaume Rousse
guillomovitch at gmail.com
Tue Feb 1 15:46:02 CET 2011
Hello list.
My syslog-ng configuration is modular, so as to be easily deployed on
all our hosts. There is a main configuration files, and one additional
included file by service. Our LDAP and Kerberos servers are hosted on
the same host (LDAP is our Kerberos backend).
Main file has:
parser p_db {
db-parser();
};
filter f_drop {
tags("dropthis");
};
destination d_drop {
};
LDAP file has:
log {
source(s_sys);
filter(f_ldap);
parser(p_db);
log {
filter(f_drop);
destination(d_drop);
flags(final);
};
log {
destination(d_ldap);
flags(final);
};
};
Kerberos file has:
log {
source(s_sys);
filter(f_kerberos);
parser(p_db);
log {
filter(f_drop);
destination(d_drop);
flags(final);
};
log {
destination(d_kerberos);
flags(final);
};
};
This is incorrect, because parser(p_db) is used in two different log
statements, and syslog-ng doesn't start with a cryptic message:
Error initializing message pipeline;
If I try to use the parser only once, in the main file, tagging doesn't
occur.
The only solution I found was to declare two different parsers, for each
of the two files. As they both use a different pattern db fragment, it
reduce the interest of merging them into a single pattern db file with
update-patterndb.
--
BOFH excuse #179:
multicasts on broken packets
More information about the syslog-ng
mailing list