[syslog-ng] PatternDB: macros extraction from URLs

Ioan Indreias indreias at gmail.com
Thu Feb 17 09:31:27 CET 2011 

Hello all,

We are using OSE 3.2.1 version and till now we have managed to
configure most of the patterns we need.

However we have reached to a point where we need some hints from the
users of this list. The problem is the following: how to extract
macros when the order of them are not known (like in a URL).

For example we would like to extract 'user' and 'action' from an URL
like the one mentioned below:

APP[9988]: WEB[0011]:
http://abc.example.com/query.php?user=test1&action=login&host=prod1&device=device1
HTTP 1.1

Unfortunately the "user" and "action" could be placed anywhere in the
URL (as the URL is not created by aour application) thus we have to
create something like this:

<pattern>http://abc.example.com/query.php@ESTRING::u@ser=@ESTRING:user:&amp;@action=@ESTRING:action:&amp;@</pattern>
<pattern>http://abc.example.com/query.php@ESTRING::u@ser=@ESTRING:user:&amp;@ESTRING::a@ction=@ESTRING:action:&amp;@</pattern>
<pattern>http://abc.example.com/query.php@ESTRING::a@ction=@ESTRING:action:&amp;@user=@ESTRING:user:&amp;@</pattern>
<pattern>http://abc.example.com/query.php@ESTRING::a@ction=@ESTRING:action:&amp;@ESTRING::u@ser=@ESTRING:user:&amp;@</pattern>
and so on....

Not to mention if we need to extract the 'device' macro as well - the
number of patterns grow significantly.

Have somebody some hints on how to optimize the extraction of macros
when them are not in an known order?

Thank you in advance,
Ioan

More information about the syslog-ng mailing list