[syslog-ng] Correct Usage of Multiple 'pattern' Databases
David Hauck
davidh at netacquire.com
Fri Apr 11 19:18:46 CEST 2014
Hello,
I've only recently dug into some more intricate 'syslog-ng' configurations and had a question regarding 'log' construct blocks where multiple 'parser' references exist. I've been trying to do something like the following (testing with the supplied example pattern databases):
log {
filter(f_auth);
parser("login");
parser("sshd");
parser("su");
parser("sudo");
log {
filter(f_class_system);
...
};
};
The problem I'm having is that extracted values from matched rules appear to be lost when the matched rule exists in a pattern db *other than the last referenced parser() db*. Specifically, if a rule is matched in the 'sshd' db above the following 'f_class_system' filter (which attempts to match '.classifier.class') *does not* match; however, if a rule is matched in the 'sudo' db above the 'f_class_system' filter *does* match.
I'm sure this is perfectly explainable, but I can't find any documentation/Google references specifically outlining this behaviour. Given the above and in order to work around this I assume I would have to, either: 1) combine all of the rules into a single db file, or 2) break out each 'parser' reference into a separate embedded 'log' construct (not ideal since the filtering et mechanics in each would be identical and for maintenance reasons I'd like to consolidate these into a single 'log' construct). Both options are less than ideal. Is there a better way?
Really appreciate any help you might be able to offer.
Thanks,
-David
More information about the syslog-ng
mailing list