[syslog-ng] PCRE in patterndb with back substitution

Nagy, Gábor gabor.nagy at balabit.com
Tue Mar 20 13:06:43 UTC 2018


Hi Elen!

Does your application log into a file? Because then you could use
multi-line file source with a well-defined prefix as the "{date} {host}
{program}:".

Regards,
Gabor

On Thu, Mar 15, 2018 at 7:10 AM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> The $1 is not set in this case, you can however use template functions in
> the value part. E.g. set line based on the @PCRE@ matcher and overwrite
> its value using an expression $(substr $line 0 -3)
>
> Would that work for you?
>
>
> On Mar 15, 2018 02:08, "Evan Rempel" <erempel at uvic.ca> wrote:
>
>> I have a case where an application logs something like
>>
>> {date} {host} {program}: my first line...
>> ...my second line...
>> ...and my third line.
>>
>>
>> I want to make a correlation and unwrap these lines into
>>
>> {date} {host} {program}: my first line my second line and my third line.
>>
>>
>> I started writing the patterndb to do this, but matching the ... at the
>> end
>>
>> of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@
>>
>> but I then need to only use the $1 to set a value
>>
>> <values>
>>  <value name="mymessage">$1</value>
>> </values>
>>
>>
>> Would this be the correct syntax to do this?
>>
>> Is there an easier way that would perform well?
>>
>> Thanks,
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support
>> /documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180320/fc571032/attachment.html>


More information about the syslog-ng mailing list