[syslog-ng] Macro question
Balazs Scheidler
bazsi at balabit.hu
Tue Nov 3 17:11:31 CET 2009
On Wed, 2009-10-28 at 17:18 -0400, Michael J. Bauer wrote:
> I am running syslog-ng 3.0.4 on RHEL 5.4.
>
> I have a log message that appears in my logfiles as
>
> Oct 28 16:41:22 juniper-router {wan-service-set}[FWNAT]:
> ASP_NAT_RULE_MATCH: proto 6 (TCP) application: any,
> ge-0/0/3.2:10.3.13.153:49818 -> 66.249.80.148:80, Match NAT rule-set: ,
> rule: nat-outgoing, term: dynamic-nat
>
> There are no carriage returns in that entry; any that appear are
> artifacts of some mail server or client along the way.
>
> I want any log entry containing the string FWNAT to go into a separate
> file. match(FWNAT) on the filter does just that, but syslog-ng
> complains that I'm not using value() for efficiency. However, it's not
> at all clear which macro, if any, actually contains the string FWNAT. I
> can tell you five that don't:
>
> APPLICATION
> EVENT_SOURCE
> MESSAGE
> MSG
> PROGRAM
>
> What macro contains FWNAT? And where can I get a definitive list of
> macros and specifics on how the value in each is set for each line? The
> documentation is insufficiently detailed on this subject.
$PROGRAM will contain {wan-service-set}
$PID will contain FWNAT
--
Bazsi
More information about the syslog-ng
mailing list