[syslog-ng] using correlation to filter out some messages ?

[Balazs Scheidler]

On Wed, 2011-01-26 at 11:21 +0100, Guillaume Rousse wrote:
> Le 24/01/2011 17:35, Balazs Scheidler a écrit :
> > you should enclose the macro reference in quotes like this:
> > 
> > condition="'${MESSAGE}@1' == ''"
> >            ^            ^
> > 
> > in a filter expression, all strings are assumed to be templates, and
> > then you can use operators like you did. but macro references also need
> > to be enclosed in quotes (either apostrophes or double quotes will
> > work), this time it was easier to use apostrophes because the XML
> > attribute used quotes.
> OK, this time syslog-ng doesn't choke, but the re-emited message is
> leaking to stdout (actually, to the console used to launch it, I just
> presume it's syslog-ng stdout), which is quite painful:
> 
> [root at avron1 ~]# service syslog-ng start
> Lancement de syslog-ng :                                        [  OK  ]
> [root at avron1 ~]# 2011 Jan 26 11:16:21 avron1 conn=1569812 fd=39 closed
> (connection lost)
> 2011 Jan 26 11:16:21 avron1 conn=1569813 fd=60 closed (connection lost)
> 2011 Jan 26 11:16:23 avron1 conn=1569814 fd=39 closed (connection lost)
> 2011 Jan 26 11:16:23 avron1 conn=1569815 fd=60 closed (connection lost)
> 
> Morevoer, it also suggested the condition used doesn't work, as those
> messages shouldn't have been re-emited at all.
> 
> I'm attaching patterndb and syslog-ng configuration related fragments.

hmm... reemitted messages are coming in the internal() source, and in
case you don't have that in your configuration file anywhere, it might
come out on stdout.


-- 
Bazsi