...also, if you have more than one custom Perl formatting routine and their number is likely to grow in the future, you could separate custom code into a Perl module. When you have lot of code snippets to deal with, having them in a module might increase readability for both SEC rules and Perl code. SEC rule repository contains a relevant example: http://simple-evcorr.sourceforge.net/rulesets/syslog-custom.sec
kind regards, risto On 06/25/2013 05:16 AM, Orangepeel Beef wrote: > works a treat, thanks John > > > On Mon, Jun 24, 2013 at 6:30 PM, John P. Rouillard <[email protected] > <mailto:[email protected]>> wrote: > > > In message > <CAHkPr1EvbEF3LRZWhB7zyRTxVYBnQGWD=9yvvkhx99wupcj...@mail.gmail.com > <mailto:[email protected]>> , > Orangepeel Beef writes: > >Hi guys, i'm using syslog-ng with SEC using the program stream. I > have 2 > >issues. > > > >1: Write to file w/ date in the name.. > > > >trying to do something like this, but haven't gotten it working.. > > > >type=single > >desc=Set log file and addressee list > >ptype=substr > >pattern=SEC_STARTUP > >context=SEC_INTERNAL_EVENT > >action=eval %d ( $date = strftime "%Y-%m-%d", localtime;);\ > > assign %f /opt/log/remote-bytype/comware-%d.log; > > > >type=single > >desc=Log messages to file > >ptype=regexp > >pattern=(.+) > >action=write %f $1 > > > > Try: > > action= eval %r (use POSIX qw(strftime);); \ > eval %d ( $date = strftime "%%Y-%%m-%%d", localtime; return > $date;); \ > assign %f /opt/log/remote-bytype/comware-%d.log; > > You need to load the POSIX lib so strftime was defined. Then the > original %Y %m %d need to be escaped, they were being replaced by > nothing. > > To test, put the rules (with my modified action) in the file called > s.sr <http://s.sr> and run: > > sec -input - -conf s.sr <http://s.sr> -intevent > > and you will see: > > SEC (Simple Event Correlator) 2.7.2 > Reading configuration from s > 2 rules loaded from s > Opening input file - > Stdin connected to terminal, SIGINT can't be used for changing > the logging level > Creating SEC internal context 'SEC_INTERNAL_EVENT' > Creating SEC internal event 'SEC_STARTUP' > Evaluating code 'use POSIX qw(strftime);' and setting variable '%r' > No value received for variable '%r', set to undef > Evaluating code '$date = strftime "%Y-%m-%d", localtime; return > $date;' and setting variable '%d' > Variable '%d' set to '2013-06-24' > Assigning '/opt/log/remote-bytype/comware-2013-06-24.log' to > variable '%f' > Deleting SEC internal context 'SEC_INTERNAL_EVENT' > > With your action I saw: > > Evaluating code '$date = strftime "--", localtime; return $date;' > and setting variable '%d' > > note the missing %Y... as they got expanded/replaced. Then you see > Perl errors like: > > Unquoted string "strftime" may clash with future reserved word at > (eval 3) line 1 > Error evaluating code '$date = strftime "--", localtime; return > $date;': syntax error at (eval 3) line 1, near "strftime "--"" > > because of the missing 'use POSIX ...'. You can test your eval actions > by putting them in a perl script and trying to run it. If you had put > your actions in a file and run perl on the file they would have failed > in a similar manner but in a more easily debugged form. > > -- > -- rouilj > John Rouillard > > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
