[syslog-ng]Why does this not work in 1.6.x?
Balazs Scheidler
syslog-ng@lists.balabit.hu
Tue, 09 Nov 2004 10:12:45 +0100
On Mon, 2004-11-08 at 20:28, t_esting@excite.com wrote:
> Hello, syslog-ng gurus. I have a question about a config that works for me in 1.5.26 but not in 1.6.x (up to 1.6.5/libol 0.3.14). Here are (what I hope are) the pertinent bits:
>
> source s_udp { udp( port(514) ); };
>
> filter f_fwsm_block {
> match(" \%FWSM-") and
> not match(": (Teardown|Translation|Built)");
> };
> filter f_fwsm_misc {
> match(" \%FWSM-") and
> match(": (Teardown|Translation|Built)");
> };
> log { source(s_udp); filter(f_fwsm_misc);
> destination(d_ipfilters_bymin); };
> log { source(s_udp); filter(f_fwsm_block);
> destination(d_ipmon); };
> ## fallthrough
> log { destination(d_messages); flags(fallback, catchall); };
>
> With syslog-ng 1.5.26, messages matching "%FWSM-Teardown", etc., are written (correctly) to the d_ipmon destination. With syslog-ng 1.6.x, they drop through to d_messages. Can anyone on the list please help me decipher what changes I might need to make to my config (either compiling syslog-ng itself or to my syslog-ng.conf file) to make my logs write to the same place once I upgrade?
>
I don't know about any changes that might affect you, are you sure you
only changed syslog-ng and nothing else?
I've noted however one suspicious thing: '\' is interpreted by the
lexer, so using one '\' only escapes the following character, but it
does not get into the actual output fed into the regular expression.
So you probably need to use two backslashes where you wanted one.
--
Bazsi