[syslog-ng] PCRE in patterndb with back substitution
Nagy, Gábor
gabor.nagy at balabit.com
Tue Mar 20 13:56:17 UTC 2018
I see that the complexity of that regex expression would increase hugely if
you want to solve.
I'm still thinking about other possibilities before focusing on a patterndb
solution.
What kind of source do you use for that application? Where is it logging to?
Gabor
On Tue, Mar 20, 2018 at 2:19 PM, Evan Rempel <erempel at uvic.ca> wrote:
> No problem about my name. My fast fingers make tonnes of errors.
>
> The application does not log into a file, so that isn't a really good
> option.
> I have the patterndb working for this, however, I came across another line
> that is
>
> ... 20 more
>
> and has a continuation line preceding it that does NOT end in ... so I
> have filter
> that one out.
>
> Does anyone handle java stack dumps gracefully :-)
>
> Evan
>
>
> On 03/20/2018 06:07 AM, Nagy, Gábor wrote:
>
> Sorry Evan for mistyping your name. :)
>
> On Tue, Mar 20, 2018 at 2:06 PM, Nagy, Gábor <gabor.nagy at balabit.com>
> wrote:
>
>> Hi Elen!
>>
>> Does your application log into a file? Because then you could use
>> multi-line file source with a well-defined prefix as the "{date} {host}
>> {program}:".
>>
>> Regards,
>> Gabor
>>
>> On Thu, Mar 15, 2018 at 7:10 AM, Scheidler, Balázs <
>> balazs.scheidler at balabit.com> wrote:
>>
>>> The $1 is not set in this case, you can however use template functions
>>> in the value part. E.g. set line based on the @PCRE@ matcher and
>>> overwrite its value using an expression $(substr $line 0 -3)
>>>
>>> Would that work for you?
>>>
>>>
>>> On Mar 15, 2018 02:08, "Evan Rempel" <erempel at uvic.ca> wrote:
>>>
>>>> I have a case where an application logs something like
>>>>
>>>> {date} {host} {program}: my first line...
>>>> ...my second line...
>>>> ...and my third line.
>>>>
>>>>
>>>> I want to make a correlation and unwrap these lines into
>>>>
>>>> {date} {host} {program}: my first line my second line and my third line.
>>>>
>>>>
>>>> I started writing the patterndb to do this, but matching the ... at the
>>>> end
>>>>
>>>> of the line is difficult, so I used @PCRE:line:(.*)\.\.\.$@
>>>>
>>>> but I then need to only use the $1 to set a value
>>>>
>>>> <values>
>>>> <value name="mymessage">$1</value>
>>>> </values>
>>>>
>>>>
>>>> Would this be the correct syntax to do this?
>>>>
>>>> Is there an easier way that would perform well?
>>>>
>>>> Thanks,
>>>>
>>>> ____________________________________________________________
>>>> __________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support
>>>> /documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>
>
> N �n�r����)em�h�yhiם�w^��
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180320/28f76c6d/attachment.html>
More information about the syslog-ng
mailing list