No, you seem to misunderstand how match() works. The syntax is match(<regexp> value ("MACRO")) <regexp> is a normal regular expression and a MACRO is a name syslog-ng applies to a piece of the log entry after it has parsed it - things like PID, PRIORITY, MESSAGE. This implies there has to be some structure to the message so syslog-ng can figure it all out. You can create your own macros too for unusual logs. There is no macro called "lighttpd" and there is no facility by that name either. You cannot change facility names as you feel like it, they are predefined and fixed. You are searching for a program name, so this is what you want as a filter: program("lighttpd") or (longer version) match("lighttpd" value("PROGRAM")) Read it this way: Match the string "lighttpd" in the section of the log called "PROGRAM". Or put another way, the "value" is the name of the place to look and find a match. On Friday 25 June 2010 11:02:45 ml ml wrote:
Hello,
thanks for the hint! Now i seem to struggle with the usage of it :)
I would like to log everything from the lighttpd daemon to a diffrent logfile: Jun 25 10:59:19 lighty-dev lighttpd[30575]: (log.c.172) server started
So i tried this filter: filter f_lighttpd { match("lighttpd" value("lighttpd")); };
Basically i would like to match for the facility "lighttpd", right?! I dont really need a regex here.
Thanks, Mario
On Fri, Jun 25, 2010 at 10:32 AM, Alan McKinnon <Alan.McKinnon@is.co.za> wrote:
On Friday 25 June 2010 10:18:38 ml ml wrote:
Hello List,
i am getting this error: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Restarting syslog-ng: Stopping syslog-ng: OK. Starting syslog-ng: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
[snip]
### 3.) FILTERS filter f_ldap { match("slapd"); };
The message tell you what to do, it's right there in the admin guide :-)
pg 213 of the 3.0 admin guide:
The syntax has changed from earlier versions. match() now wants to know which part of the log to perform the match on. Your matches seem to use the program name, so use:
(match("slapd" value=("PROGRAM"))
to search the entire message for a match, use
(match("slapd" VALUE="MSG"))
or (better)
message("slpad")
Note that the macro name (MSG, PROGRAM, etc) does not have a leading $ - you are giving a macro name to use, not dereferencing it.
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions
+27 11 575 7585
Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.h tm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
_________________________________________________________________________ _____ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
___________________________________________________________________________ ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions +27 11 575 7585 Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.