[syslog-ng] the match() filter without the use of the value() option is deprecated

Balazs Scheidler bazsi at balabit.hu
Fri Sep 18 20:27:41 CEST 2009


On Fri, 2009-09-18 at 10:59 -0500, Jeremy M. Guthrie wrote:
> Can anyone shed light on what the the the below error message means?  I cannot 
> find anything on what value() is and why my syntax is wrong.  I am migrating a 
> older configuration to 3.0.4.  
> 
> WARNING: the match() filter without the use of the value() option is 
> deprecated and hinders performance, please update your configuration;
> 

in syslog-ng versions prior to 3.0, the complete message starting from
the program name was stored internally as a single string, e.g. the $MSG
macro was a simple variable reference, and the match() filter always
matched against this string.

In syslog-ng 3.0, this was changed (because of the new IETF protocol
format), syslog-ng stores all bits found in the syslog message in
separate fields, e.g. $PROGRAM, $PID and $MSG together make up the
syslog message as you know it.

Because of backwards compatibility, match() still mastches against the
old "$PROGRAM[$PID]: $MSG" format (expressed in the new meanings of
these macros), however since this is not a simple variable reference
anymore, syslog-ng needs to construct this value for every match()
invocation.

The match() filter has been repurposed, and a new message() filter was
also introduced.

E.g. if you want to match against the message payload (without the
program name and pid), you should use the message() filter.

The match() filter was extended to be able to match against any fields
of a syslog message using this syntax:

match("regexp" value("MESSAGE"));

This is equivalent to the message() filter. However now you can also
match against custom fields that you can associate with the message
using parsers, e.g. you are not limited to internal values, you can also
add your own.

-- 
Bazsi




More information about the syslog-ng mailing list