[syslog-ng] Converting filtering from 2.1 to 3.0?
Matthew Hall
mhall at mhcomputing.net
Tue Sep 21 00:12:50 CEST 2010
On Mon, Sep 20, 2010 at 05:23:28PM -0400, Worsham, Michael wrote:
> No such value known; value='Audit daemon rotating log files'
> No such value known; value='last message repeated'
> No such value known; value='Log statistics'
I believe this output indicates you have the incorrect information in
the value argument. The value argument is supposed to be used to
indicate which message macro should be checked for the string or regex
in question.
So you probably want the value argument to be one of these:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_macros.html
Matthew.
The most interesting ones for your application would be the ones below.
Consider using an output template which outputs the value in each macro,
so you can see which macro you should be matching for each of your
filter rules.
For example, if you output messages with this template, you would see
the value in the MSGONLY macro. You could use a longer version of this
to print out all the macros and figure out which should be used for the
different matches you are trying to perform.
template t_raw {
template("${MSGONLY}\n");
};
MSG or MESSAGE
Description: Text contents of the log message without the program name
and pid. Note that this has changed in syslog-ng version 3.0; in earlier
versions this macro included the program name and the pid. In syslog-ng
3.0, the MSG macro became equivalent with the MSGONLY macro. The program
name and the pid together are available in the MSGHDR macro.
MSGHDR
Description: The name and the pid of the program that sent the log
message in PROGRAM: PID format. Includes a trailing whitespace. Note
that the macro returns an empty value if both the program and pid fields
of the message are empty.
MSGONLY
Description: Message contents without the program name or pid.
PROGRAM
Description: The name of the program sending the message. Note that the
content of the $PROGRAM variable may not be completely trusted as it is
provided by the client program that constructed the message.
More information about the syslog-ng
mailing list