[syslog-ng] consecutive pattern parsers, and some other pattern matching questions
Valentijn Sessink
valentyn at blub.net
Sun Feb 20 17:00:31 CET 2011
Op 20-02-11 14:25, Balazs Scheidler schreef:
>> Yes, you can, but at a cost. To match one message with two patterns, you
>> will need two different pattern databases:
>> parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));};
>> parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));};
> Can you explain why you needed this? Why couldn't you do all processing
> in your single rule?
My question came from Postfix, where i tried correlating the smtpd
"connect" and "disconnect" messages - which is quite trivial; but also
would like a larger correlation that included the whole mail delivery.
The connect/disconnect trail is simple: context-id="postfix-smtpd"
context-scope="process" and off you go.
The mail delivery trail is trickier: you cannot get the full trail with
just a "process" scope, you need to look for the "queueid". This queueid
starts with smtpd, so there you go: a single message from smtpd that has
a meaning in two different contexts.
Please note that the queue-id is not available in all smtpd messages, so
it is not possible to add trail 1 to trail 2.
(I hope my explanation is clear, if not, please say so; I have a couple
of patterns and also a postfix log trail that I could include).
Best regards,
Valentijn
More information about the syslog-ng
mailing list