Options of db-parsers
This section describes the options of the db-parser() in syslog-ng OSE.
The db-parser() has the following options:
file()
| Accepted values: | filename |
| Default: | The patterndb.xml file in the var directory of the syslog-ng OSE install prefix (for example, /opt/syslog-ng/var/patterndb.xml) |
Description: Specifies the pattern database XML file to load. If omitted, db-parser() uses the default patterndb.xml path configured at build time.
drop-unmatched()
| Accepted values: | yes, no |
| Default: | no |
Description: If set to yes, messages that do not match any rule in the pattern database are dropped by the parser.
inject-mode()
| Accepted values: | internal, pass-through, aggregate-only |
| Default: | pass-through |
Description: Controls how synthetic messages (created by patterndb actions) are injected.
If the configuration version is older than 3.3, the default is internal
for backward compatibility.
- internal: Emit generated messages to the internal() source.
- pass-through: Forward generated messages into the current log path.
- aggregate-only: Do not forward original messages from this parser stage.
message-template()
| Accepted values: | template or macro |
| Default: | ${MESSAGE} |
Description: Specifies which message content to classify. By default, db-parser() classifies the ${MESSAGE} field.
program-template()
| Accepted values: | template or macro |
| Default: | ${PROGRAM} |
Description: Specifies which value to use as the program selector when matching rulesets. By default, db-parser() uses ${PROGRAM}.
persist-name()
| Type: | string |
| Default: | N/A |
Description: If you receive the following error message during syslog-ng OSE startup, set the persist-name() option of the duplicate drivers:
Error checking the uniqueness of the persist names, please override it with persist-name option. Shutting down.
or
Automatic assignment of persist names failed, as conflicting persist names were found. Please override the automatically assigned identifier using an explicit persist-name() option or remove the duplicated configuration elements.
This error happens if you use identical drivers in multiple sources, for
example, if you configure two file sources to read from the same file.
In this case, set the persist-name() of the drivers to a custom string,
for example, persist-name("example-persist-name1").
prefix()
| Type: | string |
| Default: | empty |
Description: Insert a prefix before the name part of the parsed name-value pairs to help further processing. For example:
-
To insert the
my-parsed-data.prefix, use theprefix(my-parsed-data.)option. -
To refer to a particular data that has a prefix, use the prefix in the name of the macro, for example,
${my-parsed-data.name}. -
If you forward the parsed messages using the IETF-syslog protocol, you can insert all the parsed data into the
SDATApart of the message using theprefix(.SDATA.my-parsed-data.)option.
Names starting with a dot (for example, .example) are reserved for use
by syslog-ng OSE. If you use such a macro name as the name of a parsed
value, it will attempt to replace the original value of the macro (note
that only soft macros can be overwritten, see
Hard versus soft macros.
To avoid such problems, use a prefix when naming the parsed values, for example, prefix(my-parsed-data.).
This parser does not have a default prefix. To configure a custom prefix, use the following format:
parser {
db-parser-parser
... other options ...
(prefix("myprefix.")
);
};