[syslog-ng] Feature Request - patterndb match set
Girish-Agarwal
Girish.Agarwal at OfficeDepot.com
Mon Nov 28 13:56:13 CET 2011
DDD
----- Original Message -----
From: Evan Rempel [mailto:erempel at uvic.ca]
Sent: Sunday, November 27, 2011 07:25 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Feature Request - patterndb match set
Thanks Balint
The patch was not quite complete (don't you hate copy and paste!) as it did not reference your new parser. A small fix, and it
worked like a charm.
Evan.
________________________________________
From: syslog-ng-bounces at lists.balabit.hu [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balint Kovacs [balint.kovacs at balabit.com]
Sent: Sunday, November 27, 2011 9:47 AM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] Feature Request - patterndb match set
Hi Evan,
On 11/27/2011 06:10 AM, Evan Rempel wrote:
> I have come across some odd lines that really can't be matched/parsed by the patterndb
>
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module Size Used by
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26 1945576 0
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux 326280 1 mmfs26
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev 67148 2 mmf
>
>
> I would like to match these and parse out the number. The catch is that the number is right justified which means that
> there is a variable number of spaces before the number.
>
> I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.
>
> Failing that I would propose that a @SET@ parser.
>
> @SET:name:character set@
>
> This will match a sequence of characters that contain any of, and only those characters listed by "character set"
>
> This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be
> handled.
>
> Comments?
>
> Evan
This is something I would have needed recently as well, I ran across the
same problem with squid logs and padded usernames. STRING is not okay,
since you can only extend the set of matched chars, not specify them and
it will match the following tokens as well. I never tried to do a parser
before, but it seemed quite easy, so I'm sending a patch in a separate
thread that implements your idea and let's see what Bazsi thinks about it.
Balint
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list