[syslog-ng] Basic (?) multi line question
jrhendri at roadrunner.com
jrhendri at roadrunner.com
Wed Apr 23 19:40:09 CEST 2014
Hi,
I am trying to parse data elements out of a variable number of log lines that all are associated by a single unique key.
Specifically - they are Cisco IronPort email logs that have various "ID" fields (MID - message ID is the most common)
Essentially I want to pull the MID out of the line marked marked:
"Start MID (\d+) <other stuff>"
and then process every line that matches that specific MID value as part of the message.
Note: they all have this string included somewhere:
"MID (\d+) "
Up to a reasonable timeout - or ended by:
"Message finished mid (\d+) done" with the matching ID.
Is this possible with syslog-ng? (OSE or PE?)
I thought I had seen something using patterndb but I cannot seem to find the reference
Clearly there will be interleaved lines with *different* MIDs that need to be processed independently.
Thanks in advance!
Jim
More information about the syslog-ng
mailing list