[syslog-ng] consecutive pattern parsers, and some other pattern matching questions
Valentijn Sessink
valentyn at blub.net
Fri Feb 11 14:14:16 CET 2011
All right, replying to myself:
Valentijn Sessink schreef:
> 1) @ESTRING:postfix.remotehost:[@@IPvANY:postfix.remoteip@]</pattern>
I probably had a typo in the original pattern; as far as I can see, it
does work with two consecutive pattern parsers.
> 2) The syslog-ng OSE admin guide tells me to use @QSTRING:<>@ to match the
This is a bit unclear in the documentation. The documentation just
mentions the QSTRING:<> match, while naturally, the < and > need to be
escaped (< and >).
> 3) My third question boils down to: is it possible to correlate *one*
> single message into *two* separate trails?
Yes, you can, but at a cost. To match one message with two patterns, you
will need two different pattern databases:
parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));};
parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));};
Then, in the log {} entry, specify parser(db1) for the first pattern;
and parser(db2) for the second. This seems to work as expected.
Trying to match with identical patterns in one database won't work (for
technical reasons).
Valentijn
More information about the syslog-ng
mailing list