[syslog-ng] consecutive pattern parsers, and some other pattern matching questions

Valentijn Sessink valentyn at blub.net
Thu Feb 10 13:54:52 CET 2011 

Hello list,

I'm trying to setup a pattern DB for Postfix, and I'm running into the a
couple of problems.

1) One of the log messages I would like to catch is:
 connect from smtp.example.com[xxxx:xxxx:300:40c1::23]
Now I'd like to catch both hostname and IP-address, and maybe I'd like
to feed the IP address into some sort of program later. So I thought I'd
better put these in individual variables. However, the matching rule
<pattern>connect from
@ESTRING:postfix.remotehost:[@@IPvANY:postfix.remoteip@]</pattern>

doesn't work, because of the double "@@" - which is handled as an
escaped "@", instead of two consecutive pattern parsers.

So my first question is: how can I have two consecutive pattern parsers
in a pattern?

2) Other messages say things like:
64A7F3001E7: from=<something at example.com> .....
The syslog-ng OSE admin guide tells me to use @QSTRING:<>@ to match the
mail address; but this shows an error. Is @QSTRING:&lt;&gt@  the correct
way to proceed? (Or is this impossible with the current implementation?)

3) My third question boils down to: is it possible to correlate *one*
single message into *two* separate trails? Would that just work by
adding the same pattern to two different contexts? The question comes
from Postfix using a bunch of small, interconnected programs, so a log
trail of a single mail message will change characteristics during it's
journey. For example, when a message comes in, smtpd will log:
 connect from smtp.example.com[xxxx:xxxx:300:40c1::23]
... it could then hand over the message with:
 599903001E7: client=smtp.example.com[xxxx:xxxx:300:40c1::23]
... and then other programs continue the log trail useing this queue-ID
599903001E7 as a marker. So here are basically two events intertwined: a
connection (that just says "connect..." and "... disconnect" and has a
context-scope of "program); and a longer event that starts with the
"connect..." and ends with delivery - or even forwarding - of the mail
message - and probably has a "host" context-scope.

4) and finally: is there a good way to immediately end a certain
context-scope? For example, after "disconnect from
smtp.example.com[xxxx:xxxx:300:40c1::23]", the smtp phase is over, so
there's no use keeping this context in memory anymore. Would adding
something like "context-timeout=0" to the "disconnect" pattern work?

Best regards,

Valentijn

More information about the syslog-ng mailing list