[syslog-ng] Correct Usage of Multiple 'pattern' Databases
Tusa Viktor
tusavik at gmail.com
Fri Apr 11 22:33:51 CEST 2014
On Fri, Apr 11, 2014 at 10:10 PM, David Hauck <davidh at netacquire.com> wrote:
> Hi Viktor,
>
> On Friday, April 11, 2014 1:01 PM, syslog-ng-bounces at lists.balabit.huwrote:
> > Hi David!
> >
> > If a log message does not match any pattern for a parser, syslog-ng
> > db-parser sets its .classifier.class to "unknown" regardless of the
> field's previous state.
> > So if it matched on a previous parser, the next parser will overwrite
> > it if it doesn't match on that. I think it's a bug rather than a
> > feature, so could you please open an issue for that on github?
>
> Sure, I can do that (although I can imagine a potential valid semantic for
> wanting this to behave either way).
>
Perhaps then we should make this switchable and the default should be the
current behaviour. You're right, I forgot that changing behaviour could
break existing configs :(.
>
> > You can merge patterndb .pdb files easily with "pdbtool merge"
> > command, which is shipped with syslog-ng. It's simpler than having
> junctions :).
>
> :) OK, that's an option too (although I also like splitting these out into
> individual files and not having to run the merge whenever an individual
> file is modified).
>
> Cheers,
> -David
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140411/b3632c1b/attachment.htm
More information about the syslog-ng
mailing list