<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Thanks<br><br>--- On <b>Tue, 11/3/09, Balazs Scheidler <i><bazsi@balabit.hu></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Balazs Scheidler <bazsi@balabit.hu><br>Subject: Re: [syslog-ng] Match/Message/Macros<br>To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu><br>Date: Tuesday, November 3, 2009, 11:15 AM<br><br><div class="plainMail">On Tue, 2009-11-03 at 08:56 -0800, R King wrote:<br>> I have updated Syslog-NG to 3 and am trying to figure out:<br>> <br>> "WARNING: the match() filter without the use of the value() option is<br>> deprecated and hinders performance, please update your configuration;"<br>> <br>> I have one filter that isn't working and I have tried several<br>> different ways to fix it.<br>> The
logs are Windows DHCP logs passed from EPILOG:<br>> <br>> Nov 3 11:37:55 snsudc02 DHCPLOG[0]:<br>> 11,11/03/09,11:37:54,Renew,172.31.0.213,Ashley-PC.nsu.edu,001B9E2A18E9,<br>> Nov 3 11:37:55 snsudc02 DHCPLOG[0]:<br>> 11,11/03/09,11:37:55,Renew,172.16.0.191,donovan-dcda8cf.,000B7D0993DF,<br>> <br>> My filter originally was:<br>> filter f_dhcp { match("DHCPLOG"); };<br>> <br>> I've tried all these without success:<br>> filter f_dhcp { message("DHCPLOG"); };<br>> filter f_dhcp { program("DHCPLOG"); };<br>> filter f_dhcp { match("DHCPLOG" flags("ignore-case")<br>> value("$PROGRAM")); };<br>> filter f_dhcp { match("0" value("$PID")); };<br>> <br>> Any help would be greatly appreciated.<br>> <br><br>Basically the 3rd one should have been ok, with one small issue:<br><br>filter f_dhcp { match("DHCPLOG" flags("ignore-case") value("PROGRAM")); };<br>
^^^^ no '$'<br><br>the value() options omit the '$' sign, because name-value pairs are not <br>macros, for example name-value pairs can be changed (with rewrite) whereas some<br>of the macros cannot be.<br><br>Nevertheless, it is a common mistake, thus I'll probably change this to<br>behave more intuitively.<br><br>-- <br>Bazsi<br><br><br>______________________________________________________________________________<br>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>FAQ: <a
href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br><br></div></blockquote></td></tr></table><br>