[syslog-ng] match with value() never matches

[Balazs Scheidler]

On Wed, 2009-04-08 at 07:43 -0400, srainville at videotron.ca wrote:
> Sorry if this has already been posted.
>  
> I can't seem to get the match filter function to work with a
> value("MACRO"). I can use macros successfully in destinations and
> parsers but the match() doesn't work. I want to use something like:
>  
> filter f_pix { match("%ASA-" value("$MSGHDR")); }; # this fails
>  
> filter f_pix { match("%ASA-"); }; # this works
>  
> I've verified the source events and they do have "%ASA-" in the
> header. I create an output file with a template(header--$MSGHDR--\n)
> and the values are there.

There's still some problems related to match() with the value() option
present. For now it only works with the 'standard' syslog parts (host,
program, msg) _and_ the dynamic values generated using the new parser
framework. Generic macros (which do not fall into the previous
categories) do not. This is basically a design error, but I think it is
a bug and I intend to fix it.

The correct syntax is value("MESSAGE"), e.g. there's no dollar sign
before the macro name. This is not fortunate as it differs from the
normal template definition where the dollar sign indicates that a macro
expansion needs to be done. The problem is that I originally didn't
intend to support _any_ kind of macro expansion here. That's the design
error, that I have to admit.

The solution is not that difficult, but as of now, the value() option
for the match() filter is not very usable. Sorry for that.

Here's a list of supported "values":
  "HOST", 
  "HOST_FROM", 
  "MESSAGE",
  "PROGRAM",
  "PID",
  "MSGID",
  "SOURCE",

And any kind of values that you created with a parser. Hopefully I can
come up with a solution that's compatible with the current 3.0.x
behaviour and one that is more intuitive.

-- 
Bazsi