| Main Archive Page > Month Archives > syslog-ng-users archives |
Re: [syslog-ng] consecutive pattern parsers, and some other pattern matching questions
From: Valentijn Sessink <valentyn_at_nospam>Date: Fri Feb 11 2011 - 13:14:16 GMT
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
All right, replying to myself:
Valentijn Sessink schreef:
> 1) @ESTRING:postfix.remotehost:[@@IPvANY:postfix.remoteip@]</pattern>
I probably had a typo in the original pattern; as far as I can see, it
does work with two consecutive pattern parsers.
> 2) The syslog-ng OSE admin guide tells me to use @QSTRING:<>@ to match the
This is a bit unclear in the documentation. The documentation just
mentions the QSTRING:<> match, while naturally, the < and > need to be
escaped (< and >).
> 3) My third question boils down to: is it possible to correlate *one*
> single message into *two* separate trails?
Yes, you can, but at a cost. To match one message with two patterns, you
will need two different pattern databases:
parser db1 {db_parser(file("/var/lib/syslog-ng/db1.xml"));};
parser db2 {db_parser(file("/var/lib/syslog-ng/db2.xml"));};
Then, in the log {} entry, specify parser(db1) for the first pattern;
and parser(db2) for the second. This seems to work as expected.
Trying to match with identical patterns in one database won't work (for
technical reasons).
Valentijn
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html