Hi, yes, the workaround works for me. Thank you very much! Hope you get the cause of quickly. Thanks again for your time! best regards, Tom Zitat von Gergely Nagy <algernon@balabit.hu>:
Gergely Nagy <algernon@balabit.hu> writes:
can you reproduce the error? or do you have a working example for conditional rewrites?
Didn't get that far yet, will see in about half an hour or so.
Yep, reproduced. filter in itself catches it nicely, rewrite fails:
And I have a suspicion where the problem lies. With a bit of luck, I'll have a solution by tomorrow.
While I don't yet have a solution, I know where the problem is, and am working on a fix.
For the time being, I can offer a workaround: if you inline the condition, instead of using filter() inside the condition, that will work:
rewrite r_cisco_program_inline { set("$1", value("PROGRAM"), condition( match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")) )); set("$2", value("MESSAGE"), condition( match('%([^:]+):\s+([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")) )); };
This is inconvenient, slow and ugly and in the long term, unmaintainable, but works until I prepare a correct fix for the condition(filter(foo)) case.
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.