[syslog-ng] Match/Message/Macros
R King
tckingr at yahoo.com
Tue Nov 3 22:16:40 CET 2009
Thanks
--- On Tue, 11/3/09, Balazs Scheidler <bazsi at balabit.hu> wrote:
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [syslog-ng] Match/Message/Macros
To: "Syslog-ng users' and developers' mailing list" <syslog-ng at lists.balabit.hu>
Date: Tuesday, November 3, 2009, 11:15 AM
On Tue, 2009-11-03 at 08:56 -0800, R King wrote:
> I have updated Syslog-NG to 3 and am trying to figure out:
>
> "WARNING: the match() filter without the use of the value() option is
> deprecated and hinders performance, please update your configuration;"
>
> I have one filter that isn't working and I have tried several
> different ways to fix it.
> The logs are Windows DHCP logs passed from EPILOG:
>
> Nov 3 11:37:55 snsudc02 DHCPLOG[0]:
> 11,11/03/09,11:37:54,Renew,172.31.0.213,Ashley-PC.nsu.edu,001B9E2A18E9,
> Nov 3 11:37:55 snsudc02 DHCPLOG[0]:
> 11,11/03/09,11:37:55,Renew,172.16.0.191,donovan-dcda8cf.,000B7D0993DF,
>
> My filter originally was:
> filter f_dhcp { match("DHCPLOG"); };
>
> I've tried all these without success:
> filter f_dhcp { message("DHCPLOG"); };
> filter f_dhcp { program("DHCPLOG"); };
> filter f_dhcp { match("DHCPLOG" flags("ignore-case")
> value("$PROGRAM")); };
> filter f_dhcp { match("0" value("$PID")); };
>
> Any help would be greatly appreciated.
>
Basically the 3rd one should have been ok, with one small issue:
filter f_dhcp { match("DHCPLOG" flags("ignore-case") value("PROGRAM")); };
^^^^ no '$'
the value() options omit the '$' sign, because name-value pairs are not
macros, for example name-value pairs can be changed (with rewrite) whereas some
of the macros cannot be.
Nevertheless, it is a common mistake, thus I'll probably change this to
behave more intuitively.
--
Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091103/5ad0a157/attachment.htm
More information about the syslog-ng
mailing list