On Mon, Sep 20, 2010 at 05:44:10PM -0600, syslogng@feystorm.net wrote:
Your first line should be working. Not sure why it is not. However you can try using: not message('Audit daemon rotating log files' flags('ignore-case')) Simpler and does exactly what your old config did.
My only guess so far besides an outright bug: the message is formatted wrong inside the Syslog packet and the packet parser behavior changed from the old version to the new version in such a way that the macros are not being populated with the strings we expect. However I have set up several PCRE filters against message content using 3.1 and have not seen anything broken. So the bug possibility seems unlikely compared to an issue parsing the particular string. It would be helpful if we could get the tshark -V or full Wireshark payload of a message that fails to decode so we could see what was contained in the original packet. Matthew.