[syslog-ng] consecutive pattern parsers, and some other pattern matching questions

Balazs Scheidler bazsi at balabit.hu
Sun Feb 20 14:25:27 CET 2011


Hi,

Thanks for summarizing your experience and results.

On Fri, 2011-02-11 at 14:14 +0100, Valentijn Sessink wrote:
> All right, replying to myself:
> 
> Valentijn Sessink schreef:
> > 1) @ESTRING:postfix.remotehost:[@@IPvANY:postfix.remoteip@]</pattern>
> 
> I probably had a typo in the original pattern; as far as I can see, it
> does work with two consecutive pattern parsers.

Yes, it should. These are explicitly tested by the unit tests, but
probably should be mentioned in the admin guide explicitly, as it comes
up every now and then.

> 
> > 2) The syslog-ng OSE admin guide tells me to use @QSTRING:<>@ to match the
> 
> This is a bit unclear in the documentation. The documentation just
> mentions the QSTRING:<> match, while naturally, the < and > need to be
> escaped (&lt; and &gt;).

Again, a note would be useful that patterndb is in XML format, and thus
XML special characters need to be escaped.

> 
> > 3) My third question boils down to: is it possible to correlate *one*
> > single message into *two* separate trails?
> 
> Yes, you can, but at a cost. To match one message with two patterns, you
> will need two different pattern databases:
> parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));};
> parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));};

Can you explain why you needed this? Why couldn't you do all processing
in your single rule?

> 
> Then, in the log {} entry, specify parser(db1) for the first pattern;
> and parser(db2) for the second. This seems to work as expected.
> 
> Trying to match with identical patterns in one database won't work (for
> technical reasons).

That's right, since rules are not evaluated sequentially.

-- 
Bazsi




More information about the syslog-ng mailing list