On Fri, 2010-06-25 at 11:28 +0200, Balazs Scheidler wrote:
On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
No, you seem to misunderstand how match() works.
The syntax is match(<regexp> value ("MACRO"))
<regexp> is a normal regular expression and a MACRO is a name syslog-ng applies to a piece of the log entry after it has parsed it - things like PID, PRIORITY, MESSAGE. This implies there has to be some structure to the message so syslog-ng can figure it all out. You can create your own macros too for unusual logs.
There is no macro called "lighttpd" and there is no facility by that name either. You cannot change facility names as you feel like it, they are predefined and fixed. You are searching for a program name, so this is what you want as a filter:
program("lighttpd")
or (longer version)
match("lighttpd" value("PROGRAM"))
Read it this way: Match the string "lighttpd" in the section of the log called "PROGRAM". Or put another way, the "value" is the name of the place to look and find a match.
please also note that all match-like filters also support a range of matching engines, so it is possible to write:
match("lighttpd" value("PROGRAM") type("string"));
the list of matching engines: * regexp
I was just told that "regexp" is recognized as "posix" (corresponding to POSIX extended regexps) and this is the default.
* pcre * string * glob
-- Bazsi