[syslog-ng] PCRE in patterndb with back substitution
Evan Rempel
erempel at uvic.ca
Tue Mar 20 13:19:46 UTC 2018
No problem about my name. My fast fingers make tonnes of errors.
The application does not log into a file, so that isn't a really good
option.
I have the patterndb working for this, however, I came across another
line that is
... 20 more
and has a continuation line preceding it that does NOT end in ... so I
have filter
that one out.
Does anyone handle java stack dumps gracefully :-)
Evan
On 03/20/2018 06:07 AM, Nagy, Gábor wrote:
> Sorry Evan for mistyping your name. :)
>
> On Tue, Mar 20, 2018 at 2:06 PM, Nagy, Gábor <gabor.nagy at balabit.com
> <mailto:gabor.nagy at balabit.com>> wrote:
>
> Hi Elen!
>
> Does your application log into a file? Because then you could use
> multi-line file source with a well-defined prefix as the "{date}
> {host} {program}:".
>
> Regards,
> Gabor
>
> On Thu, Mar 15, 2018 at 7:10 AM, Scheidler, Balázs
> <balazs.scheidler at balabit.com
> <mailto:balazs.scheidler at balabit.com>> wrote:
>
> The $1 is not set in this case, you can however use template
> functions in the value part. E.g. set line based on the @PCRE@
> matcher and overwrite its value using an expression $(substr
> $line 0 -3)
>
> Would that work for you?
>
>
> On Mar 15, 2018 02:08, "Evan Rempel" <erempel at uvic.ca
> <mailto:erempel at uvic.ca>> wrote:
>
> I have a case where an application logs something like
>
> {date} {host} {program}: my first line...
> ...my second line...
> ...and my third line.
>
>
> I want to make a correlation and unwrap these lines into
>
> {date} {host} {program}: my first line my second line and
> my third line.
>
>
> I started writing the patterndb to do this, but matching
> the ... at the end
>
> of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@
>
> but I then need to only use the $1 to set a value
>
> <values>
> <value name="mymessage">$1</value>
> </values>
>
>
> Would this be the correct syntax to do this?
>
> Is there an easier way that would perform well?
>
> Thanks,
>
> ______________________________________________________________________________
> Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
> ______________________________________________________________________________
> Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
>
>
>
>
> N��n�r����)em�h�yhiם�w^��
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180320/a3296d17/attachment-0001.html>
More information about the syslog-ng
mailing list