[syslog-ng] quick question on host() in syslog-ng 3.1.4
Mishou Michael
Michael.Mishou at csirc.irs.gov
Thu Jun 16 19:30:00 CEST 2011
Gergely,
Thanks for the quick response, as always. I'll keep glob in mind for substrings, what I had been doing was message("foo" type("string") flags("substring")); but it seems like glob would be less typing :-).
Re: templates, absolutely! I'm trying to get the old config in a working state so I can concentrate on getting a new, much less complicated config in place. I envision templating being a big part of it, then just using symlinks to make things easier on the humans, or a hosts file with names I'd prefer instead of the IP addresses we'd end up with for the various devices.
Thanks for the help!
Regards,
--Mike
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Gergely Nagy
Sent: Thursday, June 16, 2011 1:25 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] quick question on host() in syslog-ng 3.1.4
Mishou Michael <Michael.Mishou at csirc.irs.gov> writes:
> I want host() to do a literal, exact string match instead of regex.
> For message() you can do this: message("foo" type("string")) and get
> an exact string match. Does this type() and flags() (so you can do
> substrings) also work on the host() operator?
As far as I can see, yes. Though, flags sets regexp flags, it probably
won't work with strings.
If you want substring matches, which are faster than regexps, then
type("glob") might be of interest to you.
> Of course, I could always do host("^192\.168\.1\.1$") but that seems kind of silly when I don't need regex at all.
>
> FWIW, syslog-ng -s doesn't complain about this in the config, and it
> starts/runs fine, I just can't tell if it's still using regex or not.
A quick look at the sources suggest that host() does indeed support
type("string"). But it's reasonably easy to verify: If the following
filter works, then it's using a regex, despite told otherwise:
filter f_test { host("^.*$" type("string")); };
A quick question though: wouldn't it be more efficient to use templates
instead of filters? While it's not suitable in all cases, when you only
want to direct each hosts' logs to a different file, then something like
the following would be more efficient than filters:
destination d_hosts { file ("/var/log/hosts/$HOST.log"); };
--
|8]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
More information about the syslog-ng
mailing list