[syslog-ng] Message correlation, everything needs an "@"? And a grep problem.
Balazs Scheidler
bazsi at balabit.hu
Tue Mar 1 21:26:12 CET 2011
On Tue, 2011-03-01 at 21:21 +0100, Balazs Scheidler wrote:
> On Tue, 2011-03-01 at 21:05 +0100, Valentijn Sessink wrote:
> > Op 01-03-11 20:50, Balazs Scheidler schreef:
> > [...]
> > > I'd say that not that many people are probably using this feature right
> > > now, so I'd go for reverting that patch.
> >
> > Or update the documentation :)
> >
> > My feeling is that the "@1" adds extra complexity now - see the
> > context-id example with "${queueid}@1".
> >
> > Given how new this correlating thing is, and the (relative) lack of
> > example correlating patterns there is - no, I don't think many people
> > are using it... yet ;-)
>
> Hmm.. I didn't even notice the context-id part, that's different from
> the problem I realised.
>
> the context-id is expanded _before_ even identifying the context, so
> that shouldn't work that way.
>
> Let me check.
hmm. that's right, @1 at context-id expansion time is undefined and
becomes the empty string:
(gdb) p rule->context_id_template->template
$2 = (gchar *) 0x6276a0 "foobar.${usracct.username}@1"
(gdb) n
1454 pdb_state_key_setup(&key, PSK_CONTEXT, rule, msg, buffer->str);
(gdb) p buffer->str
$3 = (gchar *) 0x62eea0 "foobar."
In contrast with:
(gdb) p rule->context_id_template->template
$2 = (gchar *) 0x6276a0 "foobar.${usracct.username}"
(gdb) n
1454 pdb_state_key_setup(&key, PSK_CONTEXT, rule, msg, buffer->str);
(gdb) p buffer->str
$1 = (gchar *) 0x62eea0 "foobar.bazsi"
--
Bazsi
More information about the syslog-ng
mailing list