What if we grabbed the tail of the message you are matching with @ANYSTRING@ to a name-value pair automatically, so you don't need anything in your rule, making it a shorter match than the other. What do you think? On Sep 22, 2015 10:43 PM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Evan,
On Tue, Sep 22, 2015 at 09:49:43AM -0700, Evan Rempel wrote:
I propose that the PatternDB preference be changed from the pattern with the longest MATCH to the pattern with the largest amount of static content.
I fully agree with Evan here: it should work as described in this sentence. That being said, I'm not so sure about the Status quo with 3.7.1. Maybe Balázs can give some more details on the change?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq