[syslog-ng] Can't seem to do a simple parse
Tracy Dalzell
tracy at guisolutions.com
Fri Sep 21 21:03:23 CEST 2012
I changed test.xml to:
<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='test' id='123456678'>
<pattern>test</pattern>
<rules>
<rule provider='me' id='182437592347598' class='system'>
<patterns>
<pattern>@ANYSTRING:mystring:@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
Pdbtool now shows:
pdbtool match -c -D -v -p test.xml -P test -M "INSERT INTO Test (id, value) VALUES (1, .044212)"
Pattern matching part:
@ANYSTRING:mystring=INSERT INTO Test (id, value) VALUES (1, .044212)@
Matching part:
INSERT INTO Test (id, value) VALUES (1, .044212)
Values:
MESSAGE=INSERT INTO Test (id, value) VALUES (1, .044212)
PROGRAM=test
.classifier.class=system
.classifier.rule_id=182437592347598
mystring=INSERT INTO Test (id, value) VALUES (1, .044212)
TAGS=
So pdbtool extracts the value but:
source s_remote { tcp(); };
parser p_test { db-parser(file("/etc/syslog-ng/test.xml")); };
destination d_test { file("/var/log/splunk/$HOST" template("Here is the message: ${R_DATE} ${mystring}\n")); };
log { source(s_remote); parser(p_test); destination(d_test); };\n")); };
Still outputs to logfile:
Here is the message: Sep 21 18:56:21
Still no value in output for ${mystring}
-----Original Message-----
From: system at ra-schaal.de [mailto:system at ra-schaal.de]
Sent: Friday, September 21, 2012 2:43 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Can't seem to do a simple parse
<pattern>@STRING:mystring: @</pattern>
>
> Results from logger "INSERT INTO Test (id, value) VALUES (1, .044212)"
> on client are:
>
> Value of ${mystring} is null. What am I missing?
@STRING@ doesn´t include any whitespace.
To get the complete message, use @ANYSTRING at . Otherwise have a look at @ESTRING@ and @QSTRING@
regards
florian
More information about the syslog-ng
mailing list