[syslog-ng] WARNING: the match() filter without the use of the value() ...

Balazs Scheidler bazsi at balabit.hu
Tue Jun 29 15:18:01 CEST 2010


On Fri, 2010-06-25 at 11:28 +0200, Balazs Scheidler wrote:
> On Fri, 2010-06-25 at 11:14 +0200, Alan McKinnon wrote:
> > No, you seem to misunderstand how match() works.
> > 
> > The syntax is match(<regexp> value ("MACRO"))
> > 
> > <regexp> is a normal regular expression and a MACRO is a name syslog-ng 
> > applies to a piece of the log entry after it has parsed it - things like PID, 
> > PRIORITY, MESSAGE. This implies there has to be some structure to the message 
> > so syslog-ng can figure it all out. You can create your own macros too for 
> > unusual logs.
> > 
> > There is no macro called "lighttpd" and there is no facility by that name 
> > either. You cannot change facility names as you feel like it, they are 
> > predefined and fixed. You are searching for a program name, so this is what 
> > you want as a filter:
> > 
> > program("lighttpd")
> > 
> > or (longer version)
> > 
> > match("lighttpd" value("PROGRAM"))
> > 
> > Read it this way: Match the string "lighttpd" in the section of the log called 
> > "PROGRAM". Or put another way, the "value" is the name of the place to look 
> > and find a match.
> 
> please also note that all match-like filters also support a range of
> matching engines, so it is possible to write:
> 
> match("lighttpd" value("PROGRAM") type("string"));
> 
> the list of matching engines:
>   * regexp

I was just told that "regexp" is recognized as "posix" (corresponding to
POSIX extended regexps) and this is the default.

>   * pcre
>   * string
>   * glob

-- 
Bazsi



More information about the syslog-ng mailing list