[syslog-ng] WARNING: the match() filter without the use of the value() ...

Alan McKinnon Alan.McKinnon at is.co.za
Fri Jun 25 11:14:39 CEST 2010


No, you seem to misunderstand how match() works.

The syntax is match(<regexp> value ("MACRO"))

<regexp> is a normal regular expression and a MACRO is a name syslog-ng 
applies to a piece of the log entry after it has parsed it - things like PID, 
PRIORITY, MESSAGE. This implies there has to be some structure to the message 
so syslog-ng can figure it all out. You can create your own macros too for 
unusual logs.

There is no macro called "lighttpd" and there is no facility by that name 
either. You cannot change facility names as you feel like it, they are 
predefined and fixed. You are searching for a program name, so this is what 
you want as a filter:

program("lighttpd")

or (longer version)

match("lighttpd" value("PROGRAM"))

Read it this way: Match the string "lighttpd" in the section of the log called 
"PROGRAM". Or put another way, the "value" is the name of the place to look 
and find a match.


On Friday 25 June 2010 11:02:45 ml ml wrote:
> Hello,
> 
> thanks for the hint! Now i seem to struggle with the usage of it :)
> 
> I would like to log everything from the lighttpd daemon to a diffrent
> logfile: Jun 25 10:59:19 lighty-dev lighttpd[30575]: (log.c.172) server
> started
> 
> So i tried this filter:
>  filter f_lighttpd { match("lighttpd" value("lighttpd")); };
> 
> Basically i would like to match for the facility "lighttpd", right?! I
> dont really need a regex here.
> 
> Thanks,
> Mario
> 
> On Fri, Jun 25, 2010 at 10:32 AM, Alan McKinnon <Alan.McKinnon at is.co.za> 
wrote:
> > On Friday 25 June 2010 10:18:38 ml ml wrote:
> >> Hello List,
> >> 
> >> i am getting this error:
> >> WARNING: the match() filter without the use of the value() option is
> >> deprecated and hinders performance, please update your configuration;
> >> Restarting syslog-ng: Stopping syslog-ng: OK.
> >> Starting syslog-ng: WARNING: the match() filter without the use of the
> >> value() option is deprecated and hinders performance, please update
> >> your configuration;
> > 
> > [snip]
> > 
> >> ### 3.) FILTERS
> >> filter f_ldap           { match("slapd");               };
> > 
> > The message tell you what to do, it's right there in the admin guide :-)
> > 
> > pg 213 of the 3.0 admin guide:
> > 
> > The syntax has changed from earlier versions. match() now wants to know
> > which part of the log to perform the match on. Your matches seem to use
> > the program name, so use:
> > 
> > (match("slapd" value=("PROGRAM"))
> > 
> > to search the entire message for a match, use
> > 
> > (match("slapd" VALUE="MSG"))
> > 
> > or (better)
> > 
> > message("slpad")
> > 
> > Note that the macro name (MSG, PROGRAM, etc) does not have a leading $ -
> > you are giving a macro name to use, not dereferencing it.
> > 
> > 
> > --
> > Alan McKinnon
> > Systems Engineer^W Technician
> > Infrastructure Services
> > Internet Solutions
> > 
> > +27 11 575 7585
> > 
> > Please note: This email and its content are subject to the disclaimer as
> > displayed at the following link
> > http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.h
> > tm. Should you not have Web access, send a mail to disclaimers at is.co.za
> > and a copy will be emailed to you.
> > 
> > _________________________________________________________________________
> > _____ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> > http://www.campin.net/syslog-ng/faq.html
> 
> ___________________________________________________________________________
> ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> http://www.campin.net/syslog-ng/faq.html

-- 
Alan McKinnon
Systems Engineer^W Technician
Infrastructure Services
Internet Solutions

+27 11 575 7585

Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you.



More information about the syslog-ng mailing list