<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">There is a work around to this current
issue where patterns can be changed to have @ANYSTRING@ at the
end.<br>
Explicitly doing this, rather than having patterndb do it
automatically gives the user the most control/flexibility.<br>
Because there is a work around available, I would NOT revert this
latest change.<br>
<br>
If you look at the original bug report<br>
<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.balabit.com/show_bug.cgi?id=211">https://bugzilla.balabit.com/show_bug.cgi?id=211</a><br>
<br>
it was to use the amount of literal text in the pattern for the
order of preference, so I would add this to the<br>
patterndb, NOT pdbtool merge, because many people will not use
pdbtool merge and the results of a merged and manual pattern
database should be consistent. A change request for literal text
pattern preference should be added to the TODO list.<br>
<br>
With regards to "whether the preference over full matches over
partial ones should stay as an option", I don't see this as
valuable. Using full matches is really just an edge case of longer
matches. It does not make sense for the length of a message
(rather than the pattern) to influence the order of matching
preference. The order of matching needs to be consistent
regardless of the log stream input, which is unknown at the time
of making the pattern database.<br>
<br>
Does that make sense?<br>
<br>
Evan.<br>
<br>
<br>
<br>
On 09/26/2015 11:33 AM, Scheidler, Balázs wrote:<br>
</div>
<blockquote
cite="mid:CANWQT2ODeALJkDrvGmL6KAxw=5r1tO+vNfoZzb85fKWrNNaicw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p dir="ltr">Hi,</p>
<p dir="ltr">It is simple to revert to the old behaviour, and
maybe we should just do that.</p>
<p dir="ltr">Using the amount of literal text in the pattern as
the sort order of specifism is a good idea, this could perhaps
be added to pdbtool merge.</p>
<p dir="ltr">The question is whether the preference over full
matches over partial ones should stay as an option or be dropped
entirely.</p>
<p dir="ltr">What do you think?</p>
<div class="gmail_quote">On Sep 22, 2015 10:43 PM, "Fabien Wernli"
<<a moz-do-not-send="true" href="mailto:wernli@in2p3.fr">wernli@in2p3.fr</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Evan,<br>
<br>
On Tue, Sep 22, 2015 at 09:49:43AM -0700, Evan Rempel wrote:<br>
> I propose that the PatternDB preference be changed from
the pattern with the longest MATCH to the pattern with the
largest amount of static content.<br>
<br>
I fully agree with Evan here: it should work as described in
this sentence.<br>
That being said, I'm not so sure about the Status quo with
3.7.1.<br>
Maybe Balázs can give some more details on the change?<br>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">This body part will be downloaded on demand.</pre>
</blockquote>
<br>
</body>
</html>