[syslog-ng] Parser not parsing :-)

T. A. Smooth catdaaaady at gmail.com
Wed Feb 8 02:40:17 CET 2012 

I think I found the issue.  I define the parser once, but i use it in two
different log statments.

When i use it twice the parser places blanks in the custom columns.  If i
only use it once everything works and the custom columns have the right
values.

Expect behavior?
On Feb 6, 2012 11:37 AM, "T. A. Smooth" <catdaaaady at gmail.com> wrote:

> Okay this is really weird. Sorry again.
> I pasted contents of the email here with the configuration .
> Hopefully this is not too much of a inconvenience.
>
> http://pastebin.com/YQUD5TrA
>
>
> On Mon, Feb 6, 2012 at 11:27 AM, T. A. Smooth <catdaaaady at gmail.com>
> wrote:
> > Looks like my last email was chopped off .
> > Here it is again.
> > ################
> >
> > I can only assume I am not implementing this correctly. :-)
> >
> > But I have a parser I am trying to use so I can take a subset of the
> > information of a message and send that subset to another receiver.
> > This is the whole message:
> >
> > <13>Feb  4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00
> > myhostserver-http /tmp/logs/access_log    Hi Mom
> >
> > What I want to do is send out the message as :
> >
> > <13>Feb  4 18:40:17 myhost syslogng: Hi Mom
> >
> > Notice how I dropped the middle part out.
> >
> > From what I have read, the parser acts on the message body alone. Is
> > this correct?
> > So I set it up to look for four(4) columns of data and to be "greedy"
> > on the last column.
> >
> > I have played around with the number of columns and even used a
> > rewrite function instead. But the Parser continues to produce empty
> > variables.  And my template just echos out my default value.
> >
> > Any thoughts?
> >
> >
> >
> >
> >
> >  parser p_et_logmessage {
> >        csv-parser(
> >                #columns("ETMSG")
> >                #columns("ETMSG.ISODATE")
> >                columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE",
> > "ETMSG.BODY")
> >                delimiters(" ")
> >                #template("${MSG}")
> >                flags(greedy)
> >        );
> > };
> >
> > rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}', value("MESSAGE"));};
> >
> > template t_et_basic_logmessage {
> >             template("${ETMSG.BODY:-nothing}\n"); template_escape(no); };
> >
> >
> > destination destination_info {
> >        tcp("host2" port(8080)
> >                template(t_et_basic_logmessage)
> >                log_disk_fifo_size(32212254720)
> >        );
> > };
> >
> > log {
> >        source(INTAKE);
> >        parser(p_et_logmessage);
> >        destination(destination_info);
> > };
> >
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Feb 6, 2012 at 11:07 AM, T. A. Smooth <catdaaaady at gmail.com>
> wrote:
> >>
> >> I can only assume I am not implementing this correctly. :-)
> >>
> >> But I have a parser I am trying to use so I can take a subset of the
> information of a message and send that subset to another receiver.
> >> This is the whole message:
> >>
> >>> <13>Feb  4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00
> myhostserver-http /tmp/logs/access_log    Hi Mom
> >>
> >>
> >> What I want to do is send out the message as :
> >>
> >>> <13>Feb  4 18:40:17 myhost syslogng: Hi Mom
> >>
> >>
> >> Notice how I dropped the middle part out.
> >>
> >> From what I have read, the parser acts on the message body alone. Is
> this correct?
> >> So I set it up to look for four(4) columns of data and to be "greedy"
> on the last column.
> >>
> >> I have played around with the number of columns and even used a rewrite
> function instead. But the Parser continues to produce empty variables.  And
> my template just echos out my default value.
> >>
> >> Any thoughts?
> >>
> >>
> >>>
> >>>
> >>>
> >>>  parser p_et_logmessage {
> >>>         csv-parser(
> >>>                 #columns("ETMSG")
> >>>                 #columns("ETMSG.ISODATE")
> >>>                 columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE",
> "ETMSG.BODY")
> >>>                 delimiters(" ")
> >>>                 #template("${MSG}")
> >>>                 flags(greedy)
> >>>         );
> >>> };
> >>
> >>
> >>>
> >>> rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}',
> value("MESSAGE"));};
> >>>
> >>> template t_et_basic_logmessage {
> >>>              template("${ETMSG.BODY:-nothing}\n");
> template_escape(no); };
> >>>
> >>>
> >>> destination destination_info {
> >>>         tcp("host2" port(8080)
> >>>                 template(t_et_basic_logmessage)
> >>>                 log_disk_fifo_size(32212254720)
> >>>         );
> >>> };
> >>>
> >>> log {
> >>>         source(INTAKE);
> >>>         parser(p_et_logmessage);
> >>>         destination(destination_info);
> >>> };
> >>
> >>
> >>
> >>
> >> My latest Post: Givenchy Fall/Winter 2012 Collection – Runway |
> Highsnobiety.com
> >> Get a signature like this. CLICK HERE.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120207/5a6423e0/attachment.htm

More information about the syslog-ng mailing list