[syslog-ng] min and max message count condition in correlation actions
Evan Rempel
erempel at uvic.ca
Sun Apr 14 03:30:52 CEST 2013
As of 2 days ago a new syslog-ng guide was published that now documents this :-)
Slightly different syntax
<action condition='"$(context-length)" >= "$max"'>
Works like a charm.
Also, it isn't specified that <tag>xxx</tag> can be in the <message> part of an action.
syslog-ng never stops amazing me.
Evan.
________________________________________
From: syslog-ng-bounces at lists.balabit.hu [syslog-ng-bounces at lists.balabit.hu] on behalf of Gergely Nagy [algernon at balabit.hu]
Sent: Saturday, April 13, 2013 5:32 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] min and max message count condition in correlation actions
Evan Rempel <erempel at uvic.ca> writes:
> so the syntax would be
>
> <action condition="$(context-length) == $num">
>
> wher $num is some macro from the pattern used to match a line.
>
> Is that correct?
$num can be pretty much anything: a number, a macro, another template
function - it is entirely up to you. It does not need to be extracted
from the pattern, but that should work too.
--
|8]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list