https://bugzilla.balabit.com/show_bug.cgi?id=228 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |INVALID Status|NEW |RESOLVED --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2013-03-13 11:45:59 --- Hi, Please note that the use of English is preferred in this bugzilla, I'll try to translate both your question and my response. (In reply to comment #0)
Sziasztok!
Ubuntu 8.04 lts-rol megfelelo lepesekben frissitve lett rendszer 12.04 lts-re, abban talalhato syslog-ng 3.3.4 -ben nem mukodik jol a match regex szures. Konkretan ugy viselkedik hogy sima stringre szures csak akkor ervenyesul ha bejovo logban string elott van space. Filter: filter f_EQAM_BW_OVERSUB { netmask("172.18.96.0/255.255.224.0") and match("Bandwidth Oversubscribed" value("MESSAGE")); };
ha netcat-el kuldok bele teszt uzenetet, csak akkor ervenyeul a filter ha van szokoz a keresett szoveg es az elotte talalhato tartalom kozott, pl : "test Bandwidth Oversubscribed" mukodik "testBandwidth Oversubscribed" nem mukodik
The question (summary): that syslog-ng 3.3.4 in ubuntu 12.04 seems to interpret the match() filter incorrectly, it matches if there's a space in front of the pattern, and doesn't work otherwise. My answer: in syslog-ng 3.0, the content matched by match() has changed, if you also add the "@version" tag into your configuration file. In versions prior to 3.0, match() matched against the whole "$PROGRAM[$PID]: $MESSAGE" value, while with the match() specification above, it only matches against the $MESSAGE part. You can continue to use "@version: 2.0", but that's not recommended. There should have been a warning about the change, when you first started syslog-ng with the original configuration file. Since the first word is interpreted as the PROGRAM value for syslog formatted data (unless no-parse is specified), your 'test' string is stuffed into $PROGRAM, but only if there's a space. If there's no space, your $PROGRAM will become "testBandwidth" and $MESSAGE becomes "Oversubscribed". If you are not really processing syslog data, you should probably specify flags(no-parse) on the input, which causes syslog-ng to put everything into $MESSAGE and your filter expression will work. All in all, this doesn't seem to be a bug to me, but please reopen if you disagree. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.