[syslog-ng] quick question on host() in syslog-ng 3.1.4

[Gergely Nagy]

Mishou Michael <Michael.Mishou at csirc.irs.gov> writes:

> I want host() to do a literal, exact string match instead of regex.
> For message() you can do this: message("foo" type("string")) and get
> an exact string match.  Does this type() and flags() (so you can do
> substrings) also work on the host() operator?

As far as I can see, yes. Though, flags sets regexp flags, it probably
won't work with strings.

If you want substring matches, which are faster than regexps, then
type("glob") might be of interest to you.

> Of course, I could always do host("^192\.168\.1\.1$") but that seems kind of silly when I don't need regex at all.
>
> FWIW, syslog-ng -s doesn't complain about this in the config, and it
> starts/runs fine, I just can't tell if it's still using regex or not.

A quick look at the sources suggest that host() does indeed support
type("string"). But it's reasonably easy to verify: If the following
filter works, then it's using a regex, despite told otherwise:

filter f_test { host("^.*$" type("string")); };

A quick question though: wouldn't it be more efficient to use templates
instead of filters? While it's not suitable in all cases, when you only
want to direct each hosts' logs to a different file, then something like
the following would be more efficient than filters:

destination d_hosts { file ("/var/log/hosts/$HOST.log"); };

-- 
|8]