[syslog-ng] Converting filtering from 2.1 to 3.0?

[Matthew Hall]

On Mon, Sep 20, 2010 at 05:44:10PM -0600, syslogng at feystorm.net wrote:
> Your first line should be working. Not sure why it is not.
> However you can try using: not message('Audit daemon rotating log
> files' flags('ignore-case'))
> Simpler and does exactly what your old config did.

My only guess so far besides an outright bug: the message is formatted 
wrong inside the Syslog packet and the packet parser behavior changed 
from the old version to the new version in such a way that the macros 
are not being populated with the strings we expect.

However I have set up several PCRE filters against message content using 
3.1 and have not seen anything broken. So the bug possibility seems 
unlikely compared to an issue parsing the particular string.

It would be helpful if we could get the tshark -V or full Wireshark 
payload of a message that fails to decode so we could see what was 
contained in the original packet.

Matthew.