I'm having problem using the match() filter in my syslog-ng.conf file.
I have a log file below which i'm trying to seperate the events to different log files based on the filed variables "[commonservices]" and "[fx]".
<snip>
my syslog-ng.conf looks like this
filter f_common { match("[commonservices]"); }; filter f_fx { match("[fx]"); }; filter f_core { match("[core]"); };
it sounds like you just landed in the wonderful world of regular expressions. When you use "[abcd]" in a regular expression, it means match either a or b or c or d. so in your config above match("[commonservices]") will match any line that has a c or o or m or n or s or e or r or v or i. in order for match("") to actually match a "[" character, you need to "escape" it. Escaping lets you tell the regular expression engine to treat the "[" just as a "[", not a special character. as I remember, you actually need to double escape in a syslog-ng.conf file..something like this: filter f_common { match("\\[commonservices\\]"); }; Mike