[syslog-ng] using correlation to filter out some messages ?
Balazs Scheidler
bazsi at balabit.hu
Mon Jan 24 17:35:21 CET 2011
On Wed, 2011-01-19 at 10:58 +0100, Guillaume Rousse wrote:
> Le 18/01/2011 18:13, Guillaume Rousse a écrit :
> > As you suggested earlier, the following action in the second rule should
> > ensure a message in an empty context is getting re-emited:
> > <action trigger="match" condition="${MESSAGE}@1 == ''">
> > <message>
> > <values>
> > <value name="MESSAGE">${MSG}@1</value>
> > </values>
> > </message>
> > </action>
> This one triggers an error:
>
>
> Error parsing filter expression, syntax error, unexpected $undefined in
> <string> at line 1, column 2:
>
> ${
> ^
> ...
> Error parsing pattern database file;
> filename='/var/lib/syslog-ng/patterndb.xml', error='Error compiling
> conditional expression'
>
> I tried playing with other macros, such as ${HOST}, without success.
>
> Also, I guess the re-emited message should be the current one (${MSG}),
> not the previous one (${MSG}@1), for the value element content ?
you should enclose the macro reference in quotes like this:
condition="'${MESSAGE}@1' == ''"
^ ^
in a filter expression, all strings are assumed to be templates, and
then you can use operators like you did. but macro references also need
to be enclosed in quotes (either apostrophes or double quotes will
work), this time it was easier to use apostrophes because the XML
attribute used quotes.
--
Bazsi
More information about the syslog-ng
mailing list