[syslog-ng] Converting filtering from 2.1 to 3.0?

[Balazs Scheidler]

On Mon, 2010-09-27 at 10:05 -0700, Matthew Hall wrote:
> Hi Bazsi,
> 
> On Mon, Sep 27, 2010 at 03:07:31PM +0200, Balazs Scheidler wrote:
> > Mathew, where did you see the erroneous example? I couldn't find any?
> 
> Sorry for the confusion. Let me try to say it differently from before.
> 
> I was not saying the example must be erroneous, just that what Alan said 
> and what the example did conflicted with each other. If Alan is right 
> that you must have special markers on the variables passed to match, 
> then this example from the HTML is wrong:
> 
> filter demo_filter { host("example") and match("deny" value("MESSAGE")); };
> 
> Because it does not put $ or ${} which Alan believed necessary for it to 
> work. Alternatively, Alan made a mistake thinking these chars were 
> mandatory. I think both the doc and Alan can't be right at the same 
> time.
> 
> So I was trying to get confirmation from Balabit about it.

No need for the "$", it was intentionally not put there as value is not
a template. e.g. you can't write this:

match("deny" value("$MSGHDR$MSG"));

syslog-ng 3.1 gives you a warning if you use '$' in the value but will
work correctly. 3.0 is not this forgiving, it'll simply not work.

-- 
Bazsi