[syslog-ng] Message correlation, everything needs an "@"? And a grep problem.
Valentijn Sessink
valentyn at blub.net
Fri Feb 11 16:48:16 CET 2011
Hello list,
After playing with correlation for a while, here are a few remarks on
it's workings. I have played with syslog-ng 3.2.2, built from source on
an Ubuntu 10.04 machine.
For some reason, the "@1", "@2"... etcetera specifiers needed to be all
over the place to be able to see any variable at all. For example, the
rule below describes the last message of a Postfix log trail. Note that
even the context-id is specified as "${queueid}@1". All other references
also have an "@" sign. Without the @, the variables seem just empty.
<rule id='X' context-id="${queueid}@1" context-scope="host"
provider="openoffice" class="maildelivery">
<patterns>
<pattern>@ESTRING:queueid: @removed</pattern>
</patterns>
<actions>
<action>
<message>
<values>
<value name="MESSAGE">${queueid}@1 mail
to=<${toaddress}@2> from=<${pffrom}@3> connection
from=${pfremotehost}@5[${pfremoteip}@5] msgid=<${msgid}@4>
orig_to=<${origto}@2> delay=${deliverystatus}@2</value>
</values>
</message>
</action>
</actions>
</rule>
Is this how it's meant to be?
Then, when trying to use the "grep" template function in this message, I
can't seem to find out how it works. Using the exact example from the
documentation, $(grep ("${username}" == "root") ${auth_method}), I only
get an error:
Error parsing filter expression, syntax error, unexpected $undefined in
<string> at line 1, column 3:
(${
^
Trying to alter the message, using "$something" == "value", doesn't seem
to have an effect, i.e. I can't get "grep" to find any values. In fact,
I'm not even sure if I can use the names from the (E/Q)STRING parsers
right away, or if I need to have <value name="something"> tags before I
can grep for them.
In fact, most of the time, the grep I would like to use is something
like: $(grep ( "$variable" != "" ) "$variable"). But whatever I try, no
results from grep.
Could anyone please clarify?
Best regards,
Valentijn
More information about the syslog-ng
mailing list