[syslog-ng] Message correlation, everything needs an "@"? And a grep problem.
Balazs Scheidler
bazsi at balabit.hu
Sun Feb 20 14:43:50 CET 2011
Hi,
On Fri, 2011-02-11 at 16:48 +0100, Valentijn Sessink wrote:
> Hello list,
>
> After playing with correlation for a while, here are a few remarks on
> it's workings. I have played with syslog-ng 3.2.2, built from source on
> an Ubuntu 10.04 machine.
>
> For some reason, the "@1", "@2"... etcetera specifiers needed to be all
> over the place to be able to see any variable at all. For example, the
> rule below describes the last message of a Postfix log trail. Note that
> even the context-id is specified as "${queueid}@1". All other references
> also have an "@" sign. Without the @, the variables seem just empty.
>
> <rule id='X' context-id="${queueid}@1" context-scope="host"
> provider="openoffice" class="maildelivery">
> <patterns>
> <pattern>@ESTRING:queueid: @removed</pattern>
> </patterns>
> <actions>
> <action>
> <message>
> <values>
> <value name="MESSAGE">${queueid}@1 mail
> to=<${toaddress}@2> from=<${pffrom}@3> connection
> from=${pfremotehost}@5[${pfremoteip}@5] msgid=<${msgid}@4>
> orig_to=<${origto}@2> delay=${deliverystatus}@2</value>
> </values>
> </message>
> </action>
> </actions>
> </rule>
>
> Is this how it's meant to be?
hmm.. no, @1 should be the one before the current message. I've just
tried to reproduce this with 3.3 but it works fine.
... seems to be work OK in 3.2 too. how did you reproduce this exactly?
>
> Then, when trying to use the "grep" template function in this message, I
> can't seem to find out how it works. Using the exact example from the
> documentation, $(grep ("${username}" == "root") ${auth_method}), I only
> get an error:
> Error parsing filter expression, syntax error, unexpected $undefined in
> <string> at line 1, column 3:
>
> (${
> ^
The error message seems to indicate that the quotes are missing. Let me
check this too.
Yes, that's the problem. hmm.. The XML shouldn't do this, as this is a
text node, not an attribute node and there '"' doesn't matter. I'll have
to dig deeper.
>
> Trying to alter the message, using "$something" == "value", doesn't seem
> to have an effect, i.e. I can't get "grep" to find any values. In fact,
> I'm not even sure if I can use the names from the (E/Q)STRING parsers
> right away, or if I need to have <value name="something"> tags before I
> can grep for them.
grep is applied to the context, and the current message is part of the
context.
if you want to grep for name-value pairs of the current message then
yes, the values need come before the grep.
> In fact, most of the time, the grep I would like to use is something
> like: $(grep ( "$variable" != "" ) "$variable"). But whatever I try, no
> results from grep.
>
> Could anyone please clarify?
--
Bazsi
More information about the syslog-ng
mailing list