works a treat, thanks John
On Mon, Jun 24, 2013 at 6:30 PM, John P. Rouillard <rou...@cs.umb.edu>wrote:
>
> In message
> <CAHkPr1EvbEF3LRZWhB7zyRTxVYBnQGWD=9yvvkhx99wupcj...@mail.gmail.com> ,
> Orangepeel Beef writes:
> >Hi guys, i'm using syslog-ng with SEC using the program stream. I have 2
> >issues.
> >
> >1: Write to file w/ date in the name..
> >
> >trying to do something like this, but haven't gotten it working..
> >
> >type=single
> >desc=Set log file and addressee list
> >ptype=substr
> >pattern=SEC_STARTUP
> >context=SEC_INTERNAL_EVENT
> >action=eval %d ( $date = strftime "%Y-%m-%d", localtime;);\
> > assign %f /opt/log/remote-bytype/comware-%d.log;
> >
> >type=single
> >desc=Log messages to file
> >ptype=regexp
> >pattern=(.+)
> >action=write %f $1
> >
>
> Try:
>
> action= eval %r (use POSIX qw(strftime);); \
> eval %d ( $date = strftime "%%Y-%%m-%%d", localtime; return
> $date;); \
> assign %f /opt/log/remote-bytype/comware-%d.log;
>
> You need to load the POSIX lib so strftime was defined. Then the
> original %Y %m %d need to be escaped, they were being replaced by
> nothing.
>
> To test, put the rules (with my modified action) in the file called
> s.sr and run:
>
> sec -input - -conf s.sr -intevent
>
> and you will see:
>
> SEC (Simple Event Correlator) 2.7.2
> Reading configuration from s
> 2 rules loaded from s
> Opening input file -
> Stdin connected to terminal, SIGINT can't be used for changing the
> logging level
> Creating SEC internal context 'SEC_INTERNAL_EVENT'
> Creating SEC internal event 'SEC_STARTUP'
> Evaluating code 'use POSIX qw(strftime);' and setting variable '%r'
> No value received for variable '%r', set to undef
> Evaluating code '$date = strftime "%Y-%m-%d", localtime; return $date;'
> and setting variable '%d'
> Variable '%d' set to '2013-06-24'
> Assigning '/opt/log/remote-bytype/comware-2013-06-24.log' to variable
> '%f'
> Deleting SEC internal context 'SEC_INTERNAL_EVENT'
>
> With your action I saw:
>
> Evaluating code '$date = strftime "--", localtime; return $date;' and
> setting variable '%d'
>
> note the missing %Y... as they got expanded/replaced. Then you see
> Perl errors like:
>
> Unquoted string "strftime" may clash with future reserved word at (eval
> 3) line 1
> Error evaluating code '$date = strftime "--", localtime; return $date;':
> syntax error at (eval 3) line 1, near "strftime "--""
>
> because of the missing 'use POSIX ...'. You can test your eval actions
> by putting them in a perl script and trying to run it. If you had put
> your actions in a file and run perl on the file they would have failed
> in a similar manner but in a more easily debugged form.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
