[syslog-ng] syslog-ng feature request - parser templates
Balazs Scheidler
bazsi at balabit.hu
Fri Feb 3 09:15:40 CET 2012
On Thu, 2012-02-02 at 08:36 -0800, Evan Rempel wrote:
> I would like the ability to specify a template that a parser database can
> take. In my particular case, I want to apply tags to messages that match
> a combination of $HOST, $PROGRAM, $INSTANCE where $INSTANCE is something
> parsed out of the message from a previous parser.
>
> To do this right now, I have to use the "rewrite" functionality to
> rewrite "SAVEMESSAGE" to the current $MESSAGE,
> then rewrite the MESSAGE to "$HOST $PROGRAM $INSTANCE", run the parser on this
> to add the tags and then rewrite MESSAGE back to $SAVEMESSAGE ....
>
> or at least I think that would work and is the only way to do this right now.
>
> By specifying a template for the parser, I can leverage the patterndb for
> any data, including previously parsed fields from a previous parser.
Right now this is not possible, however this is the next item on my todo
list. I'd like to convert the db-parser() database to allow matching on
any of the fields.
--
Bazsi
More information about the syslog-ng
mailing list