[syslog-ng] Match/Message/Macros
Balazs Scheidler
bazsi at balabit.hu
Tue Nov 3 20:15:02 CET 2009
On Tue, 2009-11-03 at 08:56 -0800, R King wrote:
> I have updated Syslog-NG to 3 and am trying to figure out:
>
> "WARNING: the match() filter without the use of the value() option is
> deprecated and hinders performance, please update your configuration;"
>
> I have one filter that isn't working and I have tried several
> different ways to fix it.
> The logs are Windows DHCP logs passed from EPILOG:
>
> Nov 3 11:37:55 snsudc02 DHCPLOG[0]:
> 11,11/03/09,11:37:54,Renew,172.31.0.213,Ashley-PC.nsu.edu,001B9E2A18E9,
> Nov 3 11:37:55 snsudc02 DHCPLOG[0]:
> 11,11/03/09,11:37:55,Renew,172.16.0.191,donovan-dcda8cf.,000B7D0993DF,
>
> My filter originally was:
> filter f_dhcp { match("DHCPLOG"); };
>
> I've tried all these without success:
> filter f_dhcp { message("DHCPLOG"); };
> filter f_dhcp { program("DHCPLOG"); };
> filter f_dhcp { match("DHCPLOG" flags("ignore-case")
> value("$PROGRAM")); };
> filter f_dhcp { match("0" value("$PID")); };
>
> Any help would be greatly appreciated.
>
Basically the 3rd one should have been ok, with one small issue:
filter f_dhcp { match("DHCPLOG" flags("ignore-case") value("PROGRAM")); };
^^^^ no '$'
the value() options omit the '$' sign, because name-value pairs are not
macros, for example name-value pairs can be changed (with rewrite) whereas some
of the macros cannot be.
Nevertheless, it is a common mistake, thus I'll probably change this to
behave more intuitively.
--
Bazsi
More information about the syslog-ng
mailing list