[syslog-ng] Does syslog-ng short circuit clauses in filter?

Balazs Scheidler bazsi at balabit.hu
Sat Oct 7 11:37:36 CEST 2006 

On Thu, 2006-09-28 at 13:02 -0700, Evan Rempel wrote:
> 
> I am thinking of a way to use regular expressions more efficiently by adding a fixed string match
> along with the regular expression.
> 
> filter f_xntp_filter_no_regexp {
> 	# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
> 	program("xntpd") and
> 	match("time error .* is way too large .* set clock manually");
> };
> 
> which will evaluate the regular expression for all messages.
> 
> The syslog-ng FAQ recommends the filter
> 
> filter f_xntp_filter_no_regexp {
> 	# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
> 	program("xntpd") and
> 	match("time error") and match("is way too large") and match("set clock manually");
> 			
> };
> 
> but that would match the message
> 
> "xntpd[1234]: length is way too large of a time error to make set clock manually succeed."
> 
> which isn't what I want to match.
> 
> 
> I would like to do
> 
> filter f_xntp_filter_no_regexp {
> 	# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
> 	program("xntpd") and
>          match("time error") and match("is way too large") and match("set clock manually") and
>          match("time error .* is way too large .* set clock manually");
> };
> 
> 
> So, the question is if the message does not match any of the fixed strings, does the regular expression get
> evaluate, or does the first non-matching fixed string cause the filter evaluation to abort?

syslog-ng bails out if the first operand to an AND operation fails, e.g.
it short circuits evaluation just like C (and all sane languages) do.
I'm not sure though that doing 3 iterations through the string using the
fixed patterns justify for a single regexp evaluation. I'd think that
one fixed pattern, at the beginning of the message should filter out the
majority of the messages. (and use '^' in the fixed pattern, it should
also help)

-- 
Bazsi

More information about the syslog-ng mailing list