[syslog-ng] Does syslog-ng short circuit clauses in filter?
Evan Rempel
erempel at uvic.ca
Thu Sep 28 22:02:18 CEST 2006
I am thinking of a way to use regular expressions more efficiently by adding a fixed string match
along with the regular expression.
filter f_xntp_filter_no_regexp {
# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
program("xntpd") and
match("time error .* is way too large .* set clock manually");
};
which will evaluate the regular expression for all messages.
The syslog-ng FAQ recommends the filter
filter f_xntp_filter_no_regexp {
# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
program("xntpd") and
match("time error") and match("is way too large") and match("set clock manually");
};
but that would match the message
"xntpd[1234]: length is way too large of a time error to make set clock manually succeed."
which isn't what I want to match.
I would like to do
filter f_xntp_filter_no_regexp {
# original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually);
program("xntpd") and
match("time error") and match("is way too large") and match("set clock manually") and
match("time error .* is way too large .* set clock manually");
};
So, the question is if the message does not match any of the fixed strings, does the regular expression get
evaluate, or does the first non-matching fixed string cause the filter evaluation to abort?
Anyone have any insights?
More information about the syslog-ng
mailing list