What if we grabbed the tail of the message you are matching with @ANYSTRING@ to a name-value pair automatically, so you don't need anything in your rule, making it a shorter match than the other.
What do you think?
Hi Evan,
On Tue, Sep 22, 2015 at 09:49:43AM -0700, Evan Rempel wrote:
> I propose that the PatternDB preference be changed from the pattern with the longest MATCH to the pattern with the largest amount of static content.
I fully agree with Evan here: it should work as described in this sentence.
That being said, I'm not so sure about the Status quo with 3.7.1.
Maybe Balázs can give some more details on the change?
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq