[syslog-ng] using correlation to filter out some messages ?
Guillaume Rousse
guillomovitch at gmail.com
Wed Jan 26 11:21:07 CET 2011
Le 24/01/2011 17:35, Balazs Scheidler a écrit :
> you should enclose the macro reference in quotes like this:
>
> condition="'${MESSAGE}@1' == ''"
> ^ ^
>
> in a filter expression, all strings are assumed to be templates, and
> then you can use operators like you did. but macro references also need
> to be enclosed in quotes (either apostrophes or double quotes will
> work), this time it was easier to use apostrophes because the XML
> attribute used quotes.
OK, this time syslog-ng doesn't choke, but the re-emited message is
leaking to stdout (actually, to the console used to launch it, I just
presume it's syslog-ng stdout), which is quite painful:
[root at avron1 ~]# service syslog-ng start
Lancement de syslog-ng : [ OK ]
[root at avron1 ~]# 2011 Jan 26 11:16:21 avron1 conn=1569812 fd=39 closed
(connection lost)
2011 Jan 26 11:16:21 avron1 conn=1569813 fd=60 closed (connection lost)
2011 Jan 26 11:16:23 avron1 conn=1569814 fd=39 closed (connection lost)
2011 Jan 26 11:16:23 avron1 conn=1569815 fd=60 closed (connection lost)
Morevoer, it also suggested the condition used doesn't work, as those
messages shouldn't have been re-emited at all.
I'm attaching patterndb and syslog-ng configuration related fragments.
--
BOFH excuse #211:
Lightning strikes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap_probe.pdb
Type: application/vnd.palm
Size: 1484 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110126/dd604756/attachment.bin
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: syslog
Url: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110126/dd604756/attachment.txt
More information about the syslog-ng
mailing list