On Thu, 2006-09-28 at 13:02 -0700, Evan Rempel wrote:
I am thinking of a way to use regular expressions more efficiently by adding a fixed string match along with the regular expression.
filter f_xntp_filter_no_regexp { # original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually); program("xntpd") and match("time error .* is way too large .* set clock manually"); };
which will evaluate the regular expression for all messages.
The syslog-ng FAQ recommends the filter
filter f_xntp_filter_no_regexp { # original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually); program("xntpd") and match("time error") and match("is way too large") and match("set clock manually");
};
but that would match the message
"xntpd[1234]: length is way too large of a time error to make set clock manually succeed."
which isn't what I want to match.
I would like to do
filter f_xntp_filter_no_regexp { # original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually); program("xntpd") and match("time error") and match("is way too large") and match("set clock manually") and match("time error .* is way too large .* set clock manually"); };
So, the question is if the message does not match any of the fixed strings, does the regular expression get evaluate, or does the first non-matching fixed string cause the filter evaluation to abort?
syslog-ng bails out if the first operand to an AND operation fails, e.g. it short circuits evaluation just like C (and all sane languages) do. I'm not sure though that doing 3 iterations through the string using the fixed patterns justify for a single regexp evaluation. I'd think that one fixed pattern, at the beginning of the message should filter out the majority of the messages. (and use '^' in the fixed pattern, it should also help) -- Bazsi