[syslog-ng] Does syslog-ng short circuit clauses in filter?

Evan Rempel erempel at uvic.ca
Thu Sep 28 22:02:18 CEST 2006



I am thinking of a way to use regular expressions more efficiently by adding a fixed string match
along with the regular expression.

filter f_xntp_filter_no_regexp {
	# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
	program("xntpd") and
	match("time error .* is way too large .* set clock manually");
};

which will evaluate the regular expression for all messages.

The syslog-ng FAQ recommends the filter

filter f_xntp_filter_no_regexp {
	# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
	program("xntpd") and
	match("time error") and match("is way too large") and match("set clock manually");
			
};

but that would match the message

"xntpd[1234]: length is way too large of a time error to make set clock manually succeed."

which isn't what I want to match.


I would like to do

filter f_xntp_filter_no_regexp {
	# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
	program("xntpd") and
         match("time error") and match("is way too large") and match("set clock manually") and
         match("time error .* is way too large .* set clock manually");
};


So, the question is if the message does not match any of the fixed strings, does the regular expression get
evaluate, or does the first non-matching fixed string cause the filter evaluation to abort?

Anyone have any insights?


More information about the syslog-ng mailing list