[syslog-ng]filter match()
Balazs Scheidler
syslog-ng@lists.balabit.hu
Thu, 5 Jun 2003 16:47:53 +0200
On Mon, May 26, 2003 at 11:50:28AM +0200, Amodiovalerio Verde wrote:
> Hi all,
>
> during some extensive test on syslog-ng, I found something that really make me difficult to implement some filters.
>
> I need to match same EXACT messages, and so I used something like match("^MATCHTHIS$") in a filter statement...
>
> but I find that the match will consider the message starting from the program name...
>
> Is there any way to match JUST the message part without the program one ??? ( the program() just work on the program part of the message, so i expected that match() will work on the other one... )
as the syslog message format varies from platform to platform it is quite
difficult to parse which part is which. So while it is quite easy to
recognize the whole message, it is more difficult to know which part is the
programname. Therefore the message as a whole is stored, as it is used to
construct forwarded messages. (think about the template "$DATE $HOST $MSG")
Apart from this it is also certainly possible to store the message part in
itself, but the same can be accomplished by using regular expressions:
match("[a-zA-Z0-9]+(\[[0-9]+\])?: EXACTMATCH$");
^^^^^^^^^^^^^^^^^^^^^^^^^ this matches the programname and its optional pid.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1