[syslog-ng] Match/Message/Macros

R King tckingr at yahoo.com
Tue Nov 3 22:16:40 CET 2009 

Thanks

--- On Tue, 11/3/09, Balazs Scheidler <bazsi at balabit.hu> wrote:

From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Match/Message/Macros
To: "Syslog-ng users' and developers' mailing list" <syslog-ng at lists.balabit.hu>
Date: Tuesday, November 3, 2009, 11:15 AM

On Tue, 2009-11-03 at 08:56 -0800, R King wrote:
> I have updated Syslog-NG to 3 and am trying to figure out:
> 
> "WARNING: the match() filter without the use of the value() option is
> deprecated and hinders performance, please update your configuration;"
> 
> I have one filter that isn't working and I have tried several
> different ways to fix it.
> The logs are Windows DHCP logs passed from EPILOG:
> 
> Nov  3 11:37:55 snsudc02 DHCPLOG[0]:
> 11,11/03/09,11:37:54,Renew,172.31.0.213,Ashley-PC.nsu.edu,001B9E2A18E9,
> Nov  3 11:37:55 snsudc02 DHCPLOG[0]:
> 11,11/03/09,11:37:55,Renew,172.16.0.191,donovan-dcda8cf.,000B7D0993DF,
> 
> My filter originally was:
> filter f_dhcp { match("DHCPLOG"); };
> 
> I've tried all these without success:
> filter f_dhcp { message("DHCPLOG"); };
> filter f_dhcp { program("DHCPLOG"); };
> filter f_dhcp { match("DHCPLOG" flags("ignore-case")
> value("$PROGRAM")); };
> filter f_dhcp { match("0" value("$PID")); };
> 
> Any help would be greatly appreciated.
> 

Basically the 3rd one should have been ok, with one small issue:

filter f_dhcp { match("DHCPLOG" flags("ignore-case") value("PROGRAM")); };
                                                           ^^^^ no '$'

the value() options omit the '$' sign, because name-value pairs are not 
macros, for example name-value pairs can be changed (with rewrite) whereas some
of the macros cannot be.

Nevertheless, it is a common mistake, thus I'll probably change this to
behave more intuitively.

-- 
Bazsi


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091103/5ad0a157/attachment.htm

More information about the syslog-ng mailing list