[syslog-ng] WARNING: the match() filter without the use of the value() ...
Balazs Scheidler
bazsi at balabit.hu
Tue Jun 29 15:18:01 CEST 2010
On Fri, 2010-06-25 at 11:28 +0200, Balazs Scheidler wrote:
> On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
> > No, you seem to misunderstand how match() works.
> >
> > The syntax is match(<regexp> value ("MACRO"))
> >
> > <regexp> is a normal regular expression and a MACRO is a name syslog-ng
> > applies to a piece of the log entry after it has parsed it - things like PID,
> > PRIORITY, MESSAGE. This implies there has to be some structure to the message
> > so syslog-ng can figure it all out. You can create your own macros too for
> > unusual logs.
> >
> > There is no macro called "lighttpd" and there is no facility by that name
> > either. You cannot change facility names as you feel like it, they are
> > predefined and fixed. You are searching for a program name, so this is what
> > you want as a filter:
> >
> > program("lighttpd")
> >
> > or (longer version)
> >
> > match("lighttpd" value("PROGRAM"))
> >
> > Read it this way: Match the string "lighttpd" in the section of the log called
> > "PROGRAM". Or put another way, the "value" is the name of the place to look
> > and find a match.
>
> please also note that all match-like filters also support a range of
> matching engines, so it is possible to write:
>
> match("lighttpd" value("PROGRAM") type("string"));
>
> the list of matching engines:
> * regexp
I was just told that "regexp" is recognized as "posix" (corresponding to
POSIX extended regexps) and this is the default.
> * pcre
> * string
> * glob
--
Bazsi
More information about the syslog-ng
mailing list