[syslog-ng] PCRE in patterndb with back substitution
Nagy, Gábor
gabor.nagy at balabit.com
Tue Mar 20 13:07:15 UTC 2018
Sorry Evan for mistyping your name. :)
On Tue, Mar 20, 2018 at 2:06 PM, Nagy, Gábor <gabor.nagy at balabit.com> wrote:
> Hi Elen!
>
> Does your application log into a file? Because then you could use
> multi-line file source with a well-defined prefix as the "{date} {host}
> {program}:".
>
> Regards,
> Gabor
>
> On Thu, Mar 15, 2018 at 7:10 AM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> The $1 is not set in this case, you can however use template functions
>> in the value part. E.g. set line based on the @PCRE@ matcher and
>> overwrite its value using an expression $(substr $line 0 -3)
>>
>> Would that work for you?
>>
>>
>> On Mar 15, 2018 02:08, "Evan Rempel" <erempel at uvic.ca> wrote:
>>
>>> I have a case where an application logs something like
>>>
>>> {date} {host} {program}: my first line...
>>> ...my second line...
>>> ...and my third line.
>>>
>>>
>>> I want to make a correlation and unwrap these lines into
>>>
>>> {date} {host} {program}: my first line my second line and my third line.
>>>
>>>
>>> I started writing the patterndb to do this, but matching the ... at the
>>> end
>>>
>>> of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@
>>>
>>> but I then need to only use the $1 to set a value
>>>
>>> <values>
>>> <value name="mymessage">$1</value>
>>> </values>
>>>
>>>
>>> Would this be the correct syntax to do this?
>>>
>>> Is there an easier way that would perform well?
>>>
>>> Thanks,
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180320/e6dfdf02/attachment.html>
More information about the syslog-ng
mailing list