[syslog-ng] consecutive pattern parsers, and some other pattern matching questions

Valentijn Sessink valentyn at blub.net
Sun Feb 20 17:00:31 CET 2011


Op 20-02-11 14:25, Balazs Scheidler schreef:
>> Yes, you can, but at a cost. To match one message with two patterns, you
>> will need two different pattern databases:
>> parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));};
>> parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));};
> Can you explain why you needed this? Why couldn't you do all processing
> in your single rule?

My question came from Postfix, where i tried correlating the smtpd 
"connect" and "disconnect" messages - which is quite trivial; but also 
would like a larger correlation that included the whole mail delivery.

The connect/disconnect trail is simple: context-id="postfix-smtpd" 
context-scope="process" and off you go.

The mail delivery trail is trickier: you cannot get the full trail with 
just a "process" scope, you need to look for the "queueid". This queueid 
starts with smtpd, so there you go: a single message from smtpd that has 
a meaning in two different contexts.

Please note that the queue-id is not available in all smtpd messages, so 
it is not possible to add trail 1 to trail 2.

(I hope my explanation is clear, if not, please say so; I have a couple 
of patterns and also a postfix log trail that I could include).

Best regards,

Valentijn


More information about the syslog-ng mailing list