[syslog-ng] [Bug 93] New: filter() functionality between 2.1 to 3.0 not consistent

Matthew Hall mhall at mhcomputing.net
Tue Sep 21 22:56:59 CEST 2010


Michael,

I have a guess for this one. I am guessing the old version did a regex 
match by default and on the new one it needs to be enabled.

I think maybe the match is done using POSIX RE, in which case adding 
.*STRING.* could work. Also try adding the pcre flag on the match, such 
as:

rewrite r_rewrite_subst 
        {subst("a*", "?", field("message") type("pcre") flags("utf8" "global"));  };

Good Luck!
Matthew.

On Tue, Sep 21, 2010 at 04:38:59PM -0400, Worsham, Michael wrote:
> One of my co-workers lent a pair of eyes found something rather unique between the two versions I hadn't looked at. Right now, the v3.0.8 build, we are using has the following filter configuration modified from the v2.1 build:
> 
> filter M_audit   { not message("Audit daemon rotating log files"); };
> filter M_repeat  { not message("last message repeated"); };
> filter M_stats   { not message("Log statistics"); };
> Now, if I were to login to the syslog-ng client server and do the following 'logger last message repeated', the entire message is dropped from actually showing up on the remote syslog-ng server (which it should). However, if I do 'logger repeated' (a portion cut from the actual full message that is to be filtered), then the remote syslog-ng server will record it.
> 
> The filters, in the way they are configured, are NOT allowing for portions of the messages to be detected -- it's either the entire message is matched or none of it, not pieces. What do I need to do to allow the pieces to be detected and filtered out just like the full message?
> 
> -- M


More information about the syslog-ng mailing list