[syslog-ng] grouping-by question

Peter Kokai (pkokai) Peter.Kokai at oneidentity.com
Thu Jun 20 11:50:17 UTC 2019


You can have a *closing message* which closes the context, which is a filter. You could try to use the context-length macro there instead of the actual message, that way you might achieve this. But I am not sure if in that filter you could access the context length or not.

Please if you do try, report on the findings :)

ps: just from a quick look on the code, this should be a possiblity (and maybe something I would adopt in my silly configs).

From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Газин Максим Алексеевич <Maksim.Gazin at rt.ru>
Sent: 20 June 2019 13:45
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] grouping-by question

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

bypassed the problem in this way $(- $(context-length) 1)

And one more question: is it possible to use the context-length instead of a timeout as the context closure value?

-----Original Message-----
From: Fabien Wernli [mailto:wernli at in2p3.fr]
Sent: Thursday, June 20, 2019 12:25 PM
To: Газин Максим Алексеевич <Maksim.Gazin at rt.ru>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: RE: [syslog-ng] grouping-by question


On Thu, Jun 20, 2019 at 07:17:28AM +0000, Газин Максим Алексеевич wrote:
> what does it mean? Is it possible to make the context-length equal to the value of the aggregated messages?

In your original email, your config indicated that you were using `timeout(15)` in the grouping-by config.
As far as I understand the grouping-by parser, this means that the context will only be closed (and thus context-len reinitialized) if no message matches the condition for 15 seconds.

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

More information about the syslog-ng mailing list