[syslog-ng] Parser not parsing :-)
Fekete Robert
frobert at balabit.hu
Wed Feb 8 09:26:09 CET 2012
I think this bug has been corrected in recent versions, but check the
changelog/git tree for details.
Robert
On 02/08/2012 02:40 AM, T. A. Smooth wrote:
> I think I found the issue. I define the parser once, but i use it in two
> different log statments.
>
> When i use it twice the parser places blanks in the custom columns. If i only
> use it once everything works and the custom columns have the right values.
>
> Expect behavior?
>
> On Feb 6, 2012 11:37 AM, "T. A. Smooth" <catdaaaady at gmail.com
> <mailto:catdaaaady at gmail.com>> wrote:
>
> Okay this is really weird. Sorry again.
> I pasted contents of the email here with the configuration .
> Hopefully this is not too much of a inconvenience.
>
> http://pastebin.com/YQUD5TrA
>
>
> On Mon, Feb 6, 2012 at 11:27 AM, T. A. Smooth <catdaaaady at gmail.com
> <mailto:catdaaaady at gmail.com>> wrote:
> > Looks like my last email was chopped off .
> > Here it is again.
> > ################
> >
> > I can only assume I am not implementing this correctly. :-)
> >
> > But I have a parser I am trying to use so I can take a subset of the
> > information of a message and send that subset to another receiver.
> > This is the whole message:
> >
> > <13>Feb 4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00
> > myhostserver-http /tmp/logs/access_log Hi Mom
> >
> > What I want to do is send out the message as :
> >
> > <13>Feb 4 18:40:17 myhost syslogng: Hi Mom
> >
> > Notice how I dropped the middle part out.
> >
> > From what I have read, the parser acts on the message body alone. Is
> > this correct?
> > So I set it up to look for four(4) columns of data and to be "greedy"
> > on the last column.
> >
> > I have played around with the number of columns and even used a
> > rewrite function instead. But the Parser continues to produce empty
> > variables. And my template just echos out my default value.
> >
> > Any thoughts?
> >
> >
> >
> >
> >
> > parser p_et_logmessage {
> > csv-parser(
> > #columns("ETMSG")
> > #columns("ETMSG.ISODATE")
> > columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE",
> > "ETMSG.BODY")
> > delimiters(" ")
> > #template("${MSG}")
> > flags(greedy)
> > );
> > };
> >
> > rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}', value("MESSAGE"));};
> >
> > template t_et_basic_logmessage {
> > template("${ETMSG.BODY:-nothing}\n"); template_escape(no); };
> >
> >
> > destination destination_info {
> > tcp("host2" port(8080)
> > template(t_et_basic_logmessage)
> > log_disk_fifo_size(32212254720)
> > );
> > };
> >
> > log {
> > source(INTAKE);
> > parser(p_et_logmessage);
> > destination(destination_info);
> > };
> >
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Feb 6, 2012 at 11:07 AM, T. A. Smooth <catdaaaady at gmail.com
> <mailto:catdaaaady at gmail.com>> wrote:
> >>
> >> I can only assume I am not implementing this correctly. :-)
> >>
> >> But I have a parser I am trying to use so I can take a subset of the
> information of a message and send that subset to another receiver.
> >> This is the whole message:
> >>
> >>> <13>Feb 4 18:40:17 myhost syslogng: 2012-02-04T18:40:17-08:00
> myhostserver-http /tmp/logs/access_log Hi Mom
> >>
> >>
> >> What I want to do is send out the message as :
> >>
> >>> <13>Feb 4 18:40:17 myhost syslogng: Hi Mom
> >>
> >>
> >> Notice how I dropped the middle part out.
> >>
> >> From what I have read, the parser acts on the message body alone. Is
> this correct?
> >> So I set it up to look for four(4) columns of data and to be "greedy" on
> the last column.
> >>
> >> I have played around with the number of columns and even used a rewrite
> function instead. But the Parser continues to produce empty variables. And
> my template just echos out my default value.
> >>
> >> Any thoughts?
> >>
> >>
> >>>
> >>>
> >>>
> >>> parser p_et_logmessage {
> >>> csv-parser(
> >>> #columns("ETMSG")
> >>> #columns("ETMSG.ISODATE")
> >>> columns("ETMSG.ISODATE", "ETMSG.EASI", "ETMSG.SOURCE",
> "ETMSG.BODY")
> >>> delimiters(" ")
> >>> #template("${MSG}")
> >>> flags(greedy)
> >>> );
> >>> };
> >>
> >>
> >>>
> >>> rewrite r_rewrite_set{set('${ETMSG.BODY:-nothing}', value("MESSAGE"));};
> >>>
> >>> template t_et_basic_logmessage {
> >>> template("${ETMSG.BODY:-nothing}\n"); template_escape(no); };
> >>>
> >>>
> >>> destination destination_info {
> >>> tcp("host2" port(8080)
> >>> template(t_et_basic_logmessage)
> >>> log_disk_fifo_size(32212254720)
> >>> );
> >>> };
> >>>
> >>> log {
> >>> source(INTAKE);
> >>> parser(p_et_logmessage);
> >>> destination(destination_info);
> >>> };
> >>
> >>
> >>
> >>
> >> My latest Post: Givenchy Fall/Winter 2012 Collection – Runway |
> Highsnobiety.com
> >> Get a signature like this. CLICK HERE.
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list