[syslog-ng] [Bug 93] New: filter() functionality between 2.1 to 3.0 not consistent
Matthew Hall
mhall at mhcomputing.net
Tue Sep 21 22:56:59 CEST 2010
Michael,
I have a guess for this one. I am guessing the old version did a regex
match by default and on the new one it needs to be enabled.
I think maybe the match is done using POSIX RE, in which case adding
.*STRING.* could work. Also try adding the pcre flag on the match, such
as:
rewrite r_rewrite_subst
{subst("a*", "?", field("message") type("pcre") flags("utf8" "global")); };
Good Luck!
Matthew.
On Tue, Sep 21, 2010 at 04:38:59PM -0400, Worsham, Michael wrote:
> One of my co-workers lent a pair of eyes found something rather unique between the two versions I hadn't looked at. Right now, the v3.0.8 build, we are using has the following filter configuration modified from the v2.1 build:
>
> filter M_audit { not message("Audit daemon rotating log files"); };
> filter M_repeat { not message("last message repeated"); };
> filter M_stats { not message("Log statistics"); };
> Now, if I were to login to the syslog-ng client server and do the following 'logger last message repeated', the entire message is dropped from actually showing up on the remote syslog-ng server (which it should). However, if I do 'logger repeated' (a portion cut from the actual full message that is to be filtered), then the remote syslog-ng server will record it.
>
> The filters, in the way they are configured, are NOT allowing for portions of the messages to be detected -- it's either the entire message is matched or none of it, not pieces. What do I need to do to allow the pieces to be detected and filtered out just like the full message?
>
> -- M
More information about the syslog-ng
mailing list