[syslog-ng] patterndb and context - access fields from initial message

Atom2 ariel.atom2 at web2web.at
Mon Jul 7 22:56:35 CEST 2014 

Hi guys,
I did have a conversation today on IRC with algernon (again many thanks 
to him) about the problem I am faced with and we agreed that I should 
send my question to the list.

My aim is to consolidate a bunch of related syslog messages into a 
single message once the final message has come in (or a timeout has 
occured for whatever reason). To do this I use patterndb together with a 
defined context linking related messages to the context.

Unfortunately the length of the context (i.e. the number of messages 
within the context) is unknown from the outset. Basically it (mainly) 
depends on how long the context is active for - which can be any time 
and is completely unforseeable.

Now my problem is as follows: From the initial message I parse (using 
patterndb) certain fields into a number of named MACROS. This is all 
solved and works very well.

When the final message comes in (or in case a timeout occurs) I would 
like to trigger an action (triggered by match or timeout respectively) 
to generate and subsequently inject a message about the full context 
using certain fields, mainly from the final message, but also including 
a number of fields from the inital message of the context.

Generally a field is available using the syntax ${MACRO}@# where @# 
denotes a reference to a previous message within the same context - so 
${MACRO}@5 would use the value of MACRO from a message with a distance 
of 5 from the curren message (where the distance of the current message 
to itself is 1 - so @5 references the 4th previous message). That also 
works very well but obviously requires that one knows which message to 
refer to using the distance value.

The problem comes when the context-length is unknown and thus the 
distance of the initial message to the final message is not a fixed, 
pre-determined number but rather varies.

Although there seems to be a variable/macro indicating/storing the 
context-length which (according to the manual) can be accessed by 
$(context-length) [NOTE: the paranthesis instead of the curly braces] 
the combination of the two does not seem to work out: I was expecting that

	${MACRO}@$(context-length)

would provide me with the required information - that is: the value of 
the parsed field from the initial message - but my construct 
unfortunately fails.

Is there anything I am doing wrong here (i.e. is there any 
quoting/esacping required for certain characters), is my thought process 
flawed or does this not work/is it a bug. In case it does not work, how 
would I be able to achieve my goal.

Many thanks and best regards,

Atom2


P.S. The version of syslog-ng I am using is 3.4.7, compiled from 
sources, using the latest stable gentoo ebuild.

More information about the syslog-ng mailing list