WARNING: the match() filter without the use of the value() ...
Hello List, i am getting this error: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Restarting syslog-ng: Stopping syslog-ng: OK. Starting syslog-ng: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; with this config: @version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html # ### 1.) OPTIONS options { long_hostnames(off); }; source src { unix-stream("/dev/log"); internal(); }; source kernsrc { file("/proc/kmsg"); }; ### 2.) DESTINATION destination ldap { file("/var/log/ldap.log"); }; destination authlog { file("/var/log/auth.log"); }; destination syslogmsg { file("/var/log/syslog"); }; destination cron { file("/var/log/cron.log"); }; destination daemon { file("/var/log/daemon.log"); }; destination kern { file("/var/log/kern.log"); }; destination user { file("/var/log/user.log"); }; destination mail { file("/var/log/mail.log"); }; destination lighttpd { file("/var/log/lighttpd.log"); }; destination mailinfo { file("/var/log/mail.info"); }; destination mailwarn { file("/var/log/mail.warn"); }; destination mailerr { file("/var/log/mail.err"); }; destination all { file("/var/log/all.log"); }; destination fcron { file("/var/log/fcron.log"); }; destination sshd { file("/var/log/sshd.log"); }; destination debug { file("/var/log/debug"); }; destination messages { file("/var/log/messages"); }; destination console { usertty("root"); }; ### 3.) FILTERS filter f_ldap { match("slapd"); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_debug { not facility(auth, authpriv, news, mail) ; }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_lighttpd { match("lighttpd"); }; filter f_fcron { match("fcron"); }; filter f_sshd { match("sshd"); }; filter f_syslog { not facility(authpriv, mail) and not filter(lapd) and not filter(sshd) and not filter(fcron) ; }; log { source(src); filter(f_sshd); destination(sshd); }; log { source(src); filter(f_fcron); destination(fcron); }; log { source(src); filter(f_ldap); destination(ldap); }; log { source(src); filter(f_syslog); destination(syslogmsg); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(kernsrc); filter(f_kern); destination(kern); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); destination(all); }; Any idea what i am doing wrong?
On Friday 25 June 2010 10:18:38 ml ml wrote:
Hello List,
i am getting this error: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Restarting syslog-ng: Stopping syslog-ng: OK. Starting syslog-ng: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
[snip]
### 3.) FILTERS filter f_ldap { match("slapd"); };
The message tell you what to do, it's right there in the admin guide :-) pg 213 of the 3.0 admin guide: The syntax has changed from earlier versions. match() now wants to know which part of the log to perform the match on. Your matches seem to use the program name, so use: (match("slapd" value=("PROGRAM")) to search the entire message for a match, use (match("slapd" VALUE="MSG")) or (better) message("slpad") Note that the macro name (MSG, PROGRAM, etc) does not have a leading $ - you are giving a macro name to use, not dereferencing it. -- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions +27 11 575 7585 Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
Hello, thanks for the hint! Now i seem to struggle with the usage of it :) I would like to log everything from the lighttpd daemon to a diffrent logfile: Jun 25 10:59:19 lighty-dev lighttpd[30575]: (log.c.172) server started So i tried this filter: filter f_lighttpd { match("lighttpd" value("lighttpd")); }; Basically i would like to match for the facility "lighttpd", right?! I dont really need a regex here. Thanks, Mario On Fri, Jun 25, 2010 at 10:32 AM, Alan McKinnon <Alan.McKinnon@is.co.za> wrote:
On Friday 25 June 2010 10:18:38 ml ml wrote:
Hello List,
i am getting this error: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Restarting syslog-ng: Stopping syslog-ng: OK. Starting syslog-ng: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
[snip]
### 3.) FILTERS filter f_ldap { match("slapd"); };
The message tell you what to do, it's right there in the admin guide :-)
pg 213 of the 3.0 admin guide:
The syntax has changed from earlier versions. match() now wants to know which part of the log to perform the match on. Your matches seem to use the program name, so use:
(match("slapd" value=("PROGRAM"))
to search the entire message for a match, use
(match("slapd" VALUE="MSG"))
or (better)
message("slpad")
Note that the macro name (MSG, PROGRAM, etc) does not have a leading $ - you are giving a macro name to use, not dereferencing it.
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions
+27 11 575 7585
Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
No, you seem to misunderstand how match() works. The syntax is match(<regexp> value ("MACRO")) <regexp> is a normal regular expression and a MACRO is a name syslog-ng applies to a piece of the log entry after it has parsed it - things like PID, PRIORITY, MESSAGE. This implies there has to be some structure to the message so syslog-ng can figure it all out. You can create your own macros too for unusual logs. There is no macro called "lighttpd" and there is no facility by that name either. You cannot change facility names as you feel like it, they are predefined and fixed. You are searching for a program name, so this is what you want as a filter: program("lighttpd") or (longer version) match("lighttpd" value("PROGRAM")) Read it this way: Match the string "lighttpd" in the section of the log called "PROGRAM". Or put another way, the "value" is the name of the place to look and find a match. On Friday 25 June 2010 11:02:45 ml ml wrote:
Hello,
thanks for the hint! Now i seem to struggle with the usage of it :)
I would like to log everything from the lighttpd daemon to a diffrent logfile: Jun 25 10:59:19 lighty-dev lighttpd[30575]: (log.c.172) server started
So i tried this filter: filter f_lighttpd { match("lighttpd" value("lighttpd")); };
Basically i would like to match for the facility "lighttpd", right?! I dont really need a regex here.
Thanks, Mario
On Fri, Jun 25, 2010 at 10:32 AM, Alan McKinnon <Alan.McKinnon@is.co.za> wrote:
On Friday 25 June 2010 10:18:38 ml ml wrote:
Hello List,
i am getting this error: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Restarting syslog-ng: Stopping syslog-ng: OK. Starting syslog-ng: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
[snip]
### 3.) FILTERS filter f_ldap { match("slapd"); };
The message tell you what to do, it's right there in the admin guide :-)
pg 213 of the 3.0 admin guide:
The syntax has changed from earlier versions. match() now wants to know which part of the log to perform the match on. Your matches seem to use the program name, so use:
(match("slapd" value=("PROGRAM"))
to search the entire message for a match, use
(match("slapd" VALUE="MSG"))
or (better)
message("slpad")
Note that the macro name (MSG, PROGRAM, etc) does not have a leading $ - you are giving a macro name to use, not dereferencing it.
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions
+27 11 575 7585
Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.h tm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
_________________________________________________________________________ _____ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
___________________________________________________________________________ ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Alan McKinnon Systems Engineer^W Technician Infrastructure Services Internet Solutions +27 11 575 7585 Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@is.co.za and a copy will be emailed to you.
On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
No, you seem to misunderstand how match() works.
The syntax is match(<regexp> value ("MACRO"))
<regexp> is a normal regular expression and a MACRO is a name syslog-ng applies to a piece of the log entry after it has parsed it - things like PID, PRIORITY, MESSAGE. This implies there has to be some structure to the message so syslog-ng can figure it all out. You can create your own macros too for unusual logs.
There is no macro called "lighttpd" and there is no facility by that name either. You cannot change facility names as you feel like it, they are predefined and fixed. You are searching for a program name, so this is what you want as a filter:
program("lighttpd")
or (longer version)
match("lighttpd" value("PROGRAM"))
Read it this way: Match the string "lighttpd" in the section of the log called "PROGRAM". Or put another way, the "value" is the name of the place to look and find a match.
please also note that all match-like filters also support a range of matching engines, so it is possible to write: match("lighttpd" value("PROGRAM") type("string")); the list of matching engines: * regexp * pcre * string * glob With the last one you could also write to match all postfix components: match("postfix/*" value("PROGRAM") type("glob")); Certainly using non-regexp matching improves performance. -- Bazsi
On Fri, 2010-06-25 at 11:28 +0200, Balazs Scheidler wrote:
On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
No, you seem to misunderstand how match() works.
The syntax is match(<regexp> value ("MACRO"))
<regexp> is a normal regular expression and a MACRO is a name syslog-ng applies to a piece of the log entry after it has parsed it - things like PID, PRIORITY, MESSAGE. This implies there has to be some structure to the message so syslog-ng can figure it all out. You can create your own macros too for unusual logs.
There is no macro called "lighttpd" and there is no facility by that name either. You cannot change facility names as you feel like it, they are predefined and fixed. You are searching for a program name, so this is what you want as a filter:
program("lighttpd")
or (longer version)
match("lighttpd" value("PROGRAM"))
Read it this way: Match the string "lighttpd" in the section of the log called "PROGRAM". Or put another way, the "value" is the name of the place to look and find a match.
please also note that all match-like filters also support a range of matching engines, so it is possible to write:
match("lighttpd" value("PROGRAM") type("string"));
the list of matching engines: * regexp
I was just told that "regexp" is recognized as "posix" (corresponding to POSIX extended regexps) and this is the default.
* pcre * string * glob
-- Bazsi
participants (3)
-
Alan McKinnon
-
Balazs Scheidler
-
ml ml