On Mon, 2010-09-20 at 16:24 -0700, Matthew Hall wrote:
On Tue, Sep 21, 2010 at 12:52:17AM +0200, Alan McKinnon wrote:
Your "value" is wrong. It's a variable name, not a literal string, so you use it like this:
value(MSGONLY)
or the cleaner version
value(${MSGONLY})
Are you sure? If you are sure about it, there is one example in the documentation where it is not performed this way.
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guid...
The following filter statement selects the messages that contain the word deny and come from the host example.
filter demo_filter { host("example") and match("deny" value("MESSAGE")); };
So we better get somebody from Balabit to correct the documentation ASAP if it's wrong like you suspect it to be.
match() is complicated as its meaning has changed slightly when changing from 2.1 to 3.0. In 2.1 (and in 2.1 compatibility mode of 3.0) match matches against the string "program[pid]: message". Starting with 3.0 (if @version: 3.0 is specified in the config file), match() becomes a is a generic filter to match against the contents of any name-value pair. The pattern is the first argument and the optional value() option specifies which name-value pair to look into. By default it works against the contents of $MESSAGE. match("almafa") Means to look for the string "almafa" inside $MESSAGE. You can also achieve the same functionality by using message("almafa") Also, to complicate things even further (but I hope we can get over the upgrade hassles quickly :) in 3.0 (but not in 3.1) the match() filter couldn't cope with macros, whereas it could work with name-value pairs. It is very difficult to decide what is a name-value pair and what is a macro without checking the source code. That's why this has changed in 3.1, where match() (and other similar functionality) will transparently use macro values just like name-value pairs. The difference between macros and Name-value pairs are that macros are read-only values, generated when a template is formatted. name-value pairs on the other hand are read-write values associated with messages. Hope this makes things clearer. Mathew, where did you see the erroneous example? I couldn't find any? -- Bazsi