[syslog-ng] weird filter problem
Russell Fulton
r.fulton at auckland.ac.nz
Fri May 17 10:03:45 CEST 2013
On 13/05/2013, at 3:58 PM, Martin Holste <mcholste at gmail.com> wrote:
> The issue is probably where the filter resides. I use that filter (in fact, it's in an optional ELSA config right now) and it works, but you have to remember that ${.classifier.class} isn't set until after the patterndb parser is run, so the filter() statement has to be after parser(p_db);
>
yes. that was the issue. I had multiple log{} statements and I reordered them not realising that one was missing parser(p_db)
Now the question is: If I have two log{} clauses both with parser(p_db) does the parsing get done twice?
Russell
>
> On Fri, May 10, 2013 at 11:51 PM, Evan Rempel <erempel at uvic.ca> wrote:
> Wait a second. Version 3.2.x ... really?
> That's quite old. There was a bug with the
> .classifier.X tags some time in the past, and it might have been in those old versions. Certainly version 3.3 would be recommended, and all of y work is done with 3.4.x
>
> My advice my be specific to version 3.4 :-(
>
>
>
>
> Evan Rempel 250.271.7691
> University Systems, University of Victoria
>
> Evan Rempel <erempel at uvic.ca> wrote:
>
> This definitely works. I'm using it right now.
>
> If it isn't working, then your pattern in the patterndb is not matching. We literally run millions of messages per hour through this exact filter ... I copied and pasted it from our pattern database.
>
>
>
> Evan Rempel 250.271.7691
> University Systems, University of Victoria
>
> Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
>
> On 11/05/2013, at 2:26 PM, Evan Rempel <erempel at uvic.ca> wrote:
>
> > Try this filter
> >
> >
> > filter f_unknown {
> > tags(".classifier.unknown");
> > };
> >
>
> This always appears to return true. I.e. this filter includes everything. Negating it includes nothing.
>
> I have tried to install 3.2.5 as this is the last version that ELSA is confirmed to work with but that does not start:
>
> Starting syslog-ng
> /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libsyslog-ng.so.0: cannot open shared object file: No such file or directory
>
> So far as I can tell all the lib files are present and correct and in the same place as the previous version?
>
> I have syslog-ng installed in /usr/local/syslog-ng-<version> and a symlink /usr/local/syslog-ng pointing to the version to use.
>
> Russell
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list