Hi, On Tue, 2010-11-02 at 13:15 +0100, Fekete Robert wrote:

Hi, I have released a beta version of the new administrator guide. I have updated it to cover (hopefully) every important change and feature in 3.2beta, but it still needs a review. So if something isn't working as written, is missing, or contains errors, please let me know.

You can find a summary of new sections here: http://robert.blogs.balabit.com/2010/11/syslog-ng-open-source-edition-3-2-ad...

Some notes ========== 1) global variables it should probably be noted that in the syntax: @define name "value" the value portion is a string as defined by the syslog-ng parser, which has the following 3 possible formats: * without quotes as long as there's no space inside and no special characters are used (basically [a-zA-Z0-9_.]) * with apostrophes in which case no embedded quotes are possible * with quotes in which case normal '\' escaping works 2) blocks I'd like to note that the enclosing braces are not part of the block itself. So if you have a block that defines a source for a specific application: block source myappsource() { file("/opt/var/myapplication.log" follow_freq(1) default-facility(syslog)); }; Then this can be referenced like this in a source {} statement: source s_local { myappsource(); }; Also I don't see a description of block arguments. At least an empty argument list is mandatory. (note the parentheses after myappsource() above). These are missing from the docs too. 3) process accounting The prefix used is ".pacct." not "pacct_", e.g. the fields are named this way: ".pacct.ac_comm" 4) system() driver seems to be ok to me. maybe a mention of the default configuration file should be added though. 5) comparison operators in filter statements this example is not correct: "$HOST" eq "myhost" is equivalent to using host("myhost"). it'd be: host("myhost" type(string)) 6) template functions not just double quotes can be used. apostrophes also work. 7) conditional rewrites ok. 8) correllation I somewhat miss the '@distance' macro modifier. I've found it at the end of the <action> description, but please note that it can be used also on the <values> section of a patterndb rule, not just in the actions section. 9) patterndb v4 format ok. 10) strace stuff ok. maybe a note about attaching to a running syslog-ng process using the -p option for strace/truss/tusc -- Bazsi