[syslog-ng] WARNING: the match() filter without the use of the value() ...

Balazs Scheidler bazsi at balabit.hu
Fri Jun 25 11:28:02 CEST 2010


On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
> No, you seem to misunderstand how match() works.
> 
> The syntax is match(<regexp> value ("MACRO"))
> 
> <regexp> is a normal regular expression and a MACRO is a name syslog-ng 
> applies to a piece of the log entry after it has parsed it - things like PID, 
> PRIORITY, MESSAGE. This implies there has to be some structure to the message 
> so syslog-ng can figure it all out. You can create your own macros too for 
> unusual logs.
> 
> There is no macro called "lighttpd" and there is no facility by that name 
> either. You cannot change facility names as you feel like it, they are 
> predefined and fixed. You are searching for a program name, so this is what 
> you want as a filter:
> 
> program("lighttpd")
> 
> or (longer version)
> 
> match("lighttpd" value("PROGRAM"))
> 
> Read it this way: Match the string "lighttpd" in the section of the log called 
> "PROGRAM". Or put another way, the "value" is the name of the place to look 
> and find a match.

please also note that all match-like filters also support a range of
matching engines, so it is possible to write:

match("lighttpd" value("PROGRAM") type("string"));

the list of matching engines:
  * regexp
  * pcre
  * string
  * glob

With the last one you could also write to match all postfix components:

match("postfix/*" value("PROGRAM") type("glob"));

Certainly using non-regexp matching improves performance.

-- 
Bazsi



More information about the syslog-ng mailing list