[syslog-ng] Converting filtering from 2.1 to 3.0?

Balazs Scheidler bazsi at balabit.hu
Mon Sep 27 15:07:31 CEST 2010


On Mon, 2010-09-20 at 16:24 -0700, Matthew Hall wrote:
> On Tue, Sep 21, 2010 at 12:52:17AM +0200, Alan McKinnon wrote:
> > Your "value" is wrong. It's a variable name, not a literal string, so 
> > you use it like this:
> > 
> > value(MSGONLY) 
> > 
> > or the cleaner version
> > 
> > value(${MSGONLY})
> 
> Are you sure? If you are sure about it, there is one example in the 
> documentation where it is not performed this way.
> 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/configuring_filters.html
> 
> The following filter statement selects the messages that contain the 
> word deny and come from the host example.
> 
> filter demo_filter { host("example") and match("deny" value("MESSAGE")); };
> 
> So we better get somebody from Balabit to correct the documentation ASAP if 
> it's wrong like you suspect it to be.

match() is complicated as its meaning has changed slightly when changing
from 2.1 to 3.0.

In 2.1 (and in 2.1 compatibility mode of 3.0) match matches against the
string "program[pid]: message".

Starting with 3.0 (if @version: 3.0 is specified in the config file),
match() becomes a is a generic filter to match against the contents of
any name-value pair. The pattern is the first argument and the optional
value() option specifies which name-value pair to look into. By default
it works against the contents of $MESSAGE.

match("almafa")

Means to look for the string "almafa" inside $MESSAGE. You can also
achieve the same functionality by using

message("almafa")

Also, to complicate things even further (but I hope we can get over the
upgrade hassles quickly :) in 3.0 (but not in 3.1) the match() filter
couldn't cope with macros, whereas it could work with name-value pairs.
It is very difficult to decide what is a name-value pair and what is a
macro without checking the source code. That's why this has changed in
3.1, where match() (and other similar functionality) will transparently
use macro values just like name-value pairs.

The difference between macros and Name-value pairs are that macros are
read-only values, generated when a template is formatted. name-value
pairs on the other hand are read-write values associated with messages.

Hope this makes things clearer.

Mathew, where did you see the erroneous example? I couldn't find any?

-- 
Bazsi



More information about the syslog-ng mailing list