[syslog-ng] WARNING: the match() filter without the use of the value() ...
Balazs Scheidler
bazsi at balabit.hu
Fri Jun 25 11:28:02 CEST 2010
On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
> No, you seem to misunderstand how match() works.
>
> The syntax is match(<regexp> value ("MACRO"))
>
> <regexp> is a normal regular expression and a MACRO is a name syslog-ng
> applies to a piece of the log entry after it has parsed it - things like PID,
> PRIORITY, MESSAGE. This implies there has to be some structure to the message
> so syslog-ng can figure it all out. You can create your own macros too for
> unusual logs.
>
> There is no macro called "lighttpd" and there is no facility by that name
> either. You cannot change facility names as you feel like it, they are
> predefined and fixed. You are searching for a program name, so this is what
> you want as a filter:
>
> program("lighttpd")
>
> or (longer version)
>
> match("lighttpd" value("PROGRAM"))
>
> Read it this way: Match the string "lighttpd" in the section of the log called
> "PROGRAM". Or put another way, the "value" is the name of the place to look
> and find a match.
please also note that all match-like filters also support a range of
matching engines, so it is possible to write:
match("lighttpd" value("PROGRAM") type("string"));
the list of matching engines:
* regexp
* pcre
* string
* glob
With the last one you could also write to match all postfix components:
match("postfix/*" value("PROGRAM") type("glob"));
Certainly using non-regexp matching improves performance.
--
Bazsi
More information about the syslog-ng
mailing list