Image may be NSFW.
Clik here to view.
In a similar vein to my previous question regarding syslog-ng’s patterndb patterns to match an empty description, I am now trying to match “–MARK–” messages. The messages look like this:
-- MARK --
Their ${PROGRAM} is apparently set to null/blank. I currently have the following XML for my ruleset, which doesn’t match the messages:
<ruleset name='my-null' id='my-null'>
<pattern></pattern>
<rules> <rule class='system' id='null_dashed_mark' provider='me'>
<description></description>
<patterns>
<pattern>-- MARK --</pattern>
</patterns>
<values>
</values>
<examples>
<example>
<test_message program="">-- MARK --</test_message>
<test_values>
</test_values>
</example>
</examples>
</rule>
</rules>
</ruleset>
I have also tried various combinations of newlines and spaces between <pattern> and </pattern>, to no avail.
So how can I construct my ruleset specification to match/catch these “MARK” messages?
Image may be NSFW.
Clik here to view.
omit the <pattern> element of the ruleset, then syslog-ng should match the rules of this ruleset for messages without a PROGRAM field.
Regards,
Robert
Check more discussion of this question.
