[syslog-ng] Message correlation, everything needs an "@"? And a grep problem.

Balazs Scheidler bazsi at balabit.hu
Tue Mar 1 21:19:57 CET 2011 

On Sun, 2011-02-20 at 17:18 +0100, Valentijn Sessink wrote:
> Op 20-02-11 14:43, Balazs Scheidler schreef:
> 
> >> Is this how it's meant to be?
> > hmm.. no, @1 should be the one before the current message. I've just
> > tried to reproduce this with 3.3 but it works fine.
> 
> Could it have something to do with my context-scope="host"?
> 
> > ... seems to be work OK in 3.2 too. how did you reproduce this exactly?
> 
> Please find attached the postfix-maildelivery pattern that I have been 
> experimenting with. Trying to match the "queuid" within messages only 
> worked when using "@1" - which I found rather strange.
> 
> Oh, for the record: syslog-ng 3.2.2
> Installer-Version: 3.2.2
> Revision: 
> ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#1d3f396485eb47b1ff6aa18ac4f1c4cd51c0ea4c
> Compile-Date: Feb  9 2011 13:14:58
> Enable-Threads: on
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-IPv6: on
> Enable-Spoof-Source: on
> Enable-TCP-Wrapper: off
> Enable-SSL: on
> Enable-SQL: on
> Enable-Linux-Caps: off
> Enable-Pcre: off
> Enable-Pacct: off
> 
> Please note that the attached pattern is work (once) in progress. Anyone 
> who would install and use this on a live machine is an idiot just like me ;)
> 
> To begin with, the "program" pattern on top of the file is missing, 
> which is not very convenient for a live server :)
> 
> Development stalled when the "grep" function wouldn't work; because the 
> pattern works for really, really simple messages but it fails completely 
> for messages with multiple recipients (and possibly other fail factors). 
> Trying to have "grep" output multiple values for one variable didn't 
> work. If you know how to do that, please tell me.
> 
> > Yes, that's the problem. hmm.. The XML shouldn't do this, as this is a
> > text node, not an attribute node and there '"' doesn't matter. I'll have
> > to dig deeper.
> 
> OK, so I gather: grep is not working right now?

Here's a fix for $(grep) (and also $(if)), just pushed so it's hot :)

commit 045be28278fa28cb6be8e8e8063a157efaef40ef
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Tue Mar 1 21:19:19 2011 +0100

    templates: added syntactic sugar for using filter expressions in template functions
    
    $(grep) and $(if) take a filter expression as argument, however such
    expressions may require quoted strings. The default behaviour of the
    parser in this case was to remove quotes.
    
    This is fixed by not caring about quotes within parenthesises, so
    $(grep) beomes usable with this syntax:
    
    $(grep ('$FACILITY' == 'level4') $MSG)
    
    This works since the parentheses around the filter expression is nicely
    processed by the filter anyway, and the template function arg parser
    ignores quotes in this case.
    
    Reported-By: Valentijn Sessink <valentyn at blub.net>
    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>


-- 
Bazsi

More information about the syslog-ng mailing list