[syslog-ng] Converting filtering from 2.1 to 3.0?

Matthew Hall mhall at mhcomputing.net
Tue Sep 21 00:12:50 CEST 2010 

On Mon, Sep 20, 2010 at 05:23:28PM -0400, Worsham, Michael wrote:
> No such value known; value='Audit daemon rotating log files'
> No such value known; value='last message repeated'
> No such value known; value='Log statistics'

I believe this output indicates you have the incorrect information in 
the value argument. The value argument is supposed to be used to 
indicate which message macro should be checked for the string or regex 
in question.

So you probably want the value argument to be one of these:

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_macros.html

Matthew.

The most interesting ones for your application would be the ones below.

Consider using an output template which outputs the value in each macro, 
so you can see which macro you should be matching for each of your 
filter rules.

For example, if you output messages with this template, you would see 
the value in the MSGONLY macro. You could use a longer version of this 
to print out all the macros and figure out which should be used for the 
different matches you are trying to perform.

template t_raw {
    template("${MSGONLY}\n");
};


MSG or MESSAGE
Description: Text contents of the log message without the program name 
and pid. Note that this has changed in syslog-ng version 3.0; in earlier 
versions this macro included the program name and the pid. In syslog-ng 
3.0, the MSG macro became equivalent with the MSGONLY macro. The program 
name and the pid together are available in the MSGHDR macro.

MSGHDR
Description: The name and the pid of the program that sent the log 
message in PROGRAM: PID format. Includes a trailing whitespace. Note 
that the macro returns an empty value if both the program and pid fields 
of the message are empty.

MSGONLY
Description: Message contents without the program name or pid.

PROGRAM

Description: The name of the program sending the message. Note that the 
content of the $PROGRAM variable may not be completely trusted as it is 
provided by the client program that constructed the message.

More information about the syslog-ng mailing list