On Fri, 2009-09-18 at 10:59 -0500, Jeremy M. Guthrie wrote:
Can anyone shed light on what the the the below error message means? I cannot find anything on what value() is and why my syntax is wrong. I am migrating a older configuration to 3.0.4.
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
in syslog-ng versions prior to 3.0, the complete message starting from the program name was stored internally as a single string, e.g. the $MSG macro was a simple variable reference, and the match() filter always matched against this string. In syslog-ng 3.0, this was changed (because of the new IETF protocol format), syslog-ng stores all bits found in the syslog message in separate fields, e.g. $PROGRAM, $PID and $MSG together make up the syslog message as you know it. Because of backwards compatibility, match() still mastches against the old "$PROGRAM[$PID]: $MSG" format (expressed in the new meanings of these macros), however since this is not a simple variable reference anymore, syslog-ng needs to construct this value for every match() invocation. The match() filter has been repurposed, and a new message() filter was also introduced. E.g. if you want to match against the message payload (without the program name and pid), you should use the message() filter. The match() filter was extended to be able to match against any fields of a syslog message using this syntax: match("regexp" value("MESSAGE")); This is equivalent to the message() filter. However now you can also match against custom fields that you can associate with the message using parsers, e.g. you are not limited to internal values, you can also add your own. -- Bazsi