Thanks --- On Tue, 11/3/09, Balazs Scheidler <bazsi@balabit.hu> wrote: From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] Match/Message/Macros To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Date: Tuesday, November 3, 2009, 11:15 AM On Tue, 2009-11-03 at 08:56 -0800, R King wrote:

I have updated Syslog-NG to 3 and am trying to figure out:

"WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;"

I have one filter that isn't working and I have tried several different ways to fix it. The logs are Windows DHCP logs passed from EPILOG:

Nov  3 11:37:55 snsudc02 DHCPLOG[0]: 11,11/03/09,11:37:54,Renew,172.31.0.213,Ashley-PC.nsu.edu,001B9E2A18E9, Nov  3 11:37:55 snsudc02 DHCPLOG[0]: 11,11/03/09,11:37:55,Renew,172.16.0.191,donovan-dcda8cf.,000B7D0993DF,

My filter originally was: filter f_dhcp { match("DHCPLOG"); };

I've tried all these without success: filter f_dhcp { message("DHCPLOG"); }; filter f_dhcp { program("DHCPLOG"); }; filter f_dhcp { match("DHCPLOG" flags("ignore-case") value("$PROGRAM")); }; filter f_dhcp { match("0" value("$PID")); };

Any help would be greatly appreciated.

Basically the 3rd one should have been ok, with one small issue: filter f_dhcp { match("DHCPLOG" flags("ignore-case") value("PROGRAM")); };                                                            ^^^^ no '$' the value() options omit the '$' sign, because name-value pairs are not macros, for example name-value pairs can be changed (with rewrite) whereas some of the macros cannot be. Nevertheless, it is a common mistake, thus I'll probably change this to behave more intuitively. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html