[syslog-ng] Can't seem to do a simple parse
Tracy Dalzell
tracy at guisolutions.com
Fri Sep 21 19:04:19 CEST 2012
I am trying to do a very simple parsing test to reformat a message using
syslog-ng 3.3.6 and I can't seem to use the value of my macro
(mystring):
patterndb (test.xml):
<patterndb version='4' pub_date='2012-09-21'>
<ruleset name='test' id='123456678'>
<pattern>test</pattern>
<rules>
<rule provider='me' id='182437592347598' class='system'>
<patterns>
<pattern>@STRING:mystring: @</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
pdbtool results:
[root at loghost01 syslog-ng]# pdbtool match -c -D -v -p test.xml -P test
-M "INSERT INTO Test (id, value) VALUES (1, .044212)"
Pattern matching part:
@STRING:mystring=INSERT INTO Test @
Matching part:
INSERT INTO Test
Values:
MESSAGE=INSERT INTO Test (id, value) VALUES (1, .044212)
PROGRAM=test
.classifier.class=unknown
TAGS=.classifier.unknown
relevent syslog-ng.conf lines:
source s_remote { tcp(); };
parser p_test { db-parser(file("/etc/syslog-ng/test.xml")); };
destination d_test { file("/var/log/splunk/$HOST" template("Here is the
message: ${R_DATE} ${mystring}\n")); };
log { source(s_remote); parser(p_test); destination(d_test); };\n")); };
Results from logger "INSERT INTO Test (id, value) VALUES (1, .044212)"
on client are:
Here is the message: Sep 21 16:46:53
Value of ${mystring} is null. What am I missing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120921/b19e4716/attachment.htm
More information about the syslog-ng
mailing list