ABOUT
db-parser: tag and value support
It has been some times since I posted about db-parser() related things, though I did some development recently. Actually Bazsi already integrated some of my patches into the syslog-ng 3.1 branch. Anyhow I thought it would make sense to write about the new features.
In one of my earlier post I wrote about adding tag support to syslog-ng. It has been already merged to the 3.1 mainline by Bazsi. To make the feature even more useful the version 2 patterndb had support for specifying tags in each rule to tag the matching messages. So far this functionality was missing, but now it is possible to tag messages directly from the patterndb configuration so you can latter filter based on these tags. It is more versatile than using classification as you can specify multiple tags and tag matching is way more faster than matching the class of the message. (Though it is not possible to use the tags in macros as you can do with classes. eg.: you can use the ${.classifier.class} macro while you can not include the tags)
Besides tags patterndb gained support for using static value assignment to messages. With patterndb version 3 (which is backward compatible with version 2) it is possible to specify named values in each rule. When a message matches a given rule all the specified values are assigned to the message (just like names parsers like @STRING:myvalue@) and these values can be latter used in filters or in macros. (See my previous post on parsers.) Also it is possible to use macros in values, so you can refer back to any parsed part of the message. It is probably most useful if you want to specially store the messages in some structured form where you need to fill all required values.
With these addition you can use rules like this:
my pattern @STRING:my_parsed_value@
tag1 tag2
foo bar ${myvalue1}
Version 3 of the patterndb has been also extended so it can hold example messages for a given pattern. It is really handy if you need to test your pattern automatically or simply you want to document the original message that you created the pattern for. With the examples you can also specify expected values that are parsed or set from the message.
The previous example can be extended this way:
my pattern @STRING:my_parsed_value@
tag1 tag2
foo bar ${myvalue1}
my pattern test
foo bar foo test
tag1 tag2
You can find the source code in my 3.1 git tree at http://git.balabit.hu/?p=marci/syslog-ng-3.1.git;a=summary
Happy tagging!
Leave a Reply
You must be logged in to post a comment.