Which macros are available for filtering ?
On a test machine, I've set up syslog-ng with a filter which looks like this : filter filter1 { match(".+" VALUE ("MACRO")); }; I've tried many MACROS and it seems only a few of them are not empty (easy to spot using this regex). The most surprising is that several documented macros are empty : for instance, MSGHDR and MSG (MSG should be the same than MESSAGE, but looks like it's not). Is it a bug ? Thanks,
On Tue, 2009-03-03 at 17:06 +0100, Vincent Panel wrote:
On a test machine, I've set up syslog-ng with a filter which looks like this :
filter filter1 { match(".+" VALUE ("MACRO")); };
I've tried many MACROS and it seems only a few of them are not empty (easy to spot using this regex). The most surprising is that several documented macros are empty : for instance, MSGHDR and MSG (MSG should be the same than MESSAGE, but looks like it's not).
Hmm.. must be a bug then... It really seems to be a bug, I've just tried it with $MSG and it didn't work. I'll look into this, thanks for reporting it. -- Bazsi
De: syslog-ng-bounces@lists.balabit.hu de la part de Balazs Scheidler
On Tue, 2009-03-03 at 17:06 +0100, Vincent Panel wrote:
On a test machine, I've set up syslog-ng with a filter which looks like this :
filter filter1 { match(".+" VALUE ("MACRO")); };
I've tried many MACROS and it seems only a few of them are not empty (easy to spot using this regex). The most surprising is that several documented macros are empty : for instance, MSGHDR and MSG (MSG should be the same than MESSAGE, but looks like it's not).
Hmm.. must be a bug then... It really seems to be a bug, I've just tried it with $MSG and it didn't work.
I'll look into this, thanks for reporting it.
Thanks for confirming. Should all macros work in filtering ? I can understand syslog-ng doesn't know yet the S_* date/time macros, because the file is still not written and it's possible the "write" time is not known yet, but for all other macros, I think they should be available to the match() function. Should I open a bug report so that this bug gets followed up in a standard way ?
participants (2)
-
Balazs Scheidler
-
Vincent Panel