[syslog-ng] Quick filter question
Balazs Scheidler
bazsi at balabit.hu
Wed Nov 9 21:36:06 CET 2011
On Tue, 2011-11-08 at 11:56 -0700, Patrick H. wrote:
> That might work, but what the order of operations is on boolean
> operations (and/or) is, is unclear. In situations like that its always
> best to explicitly force the order yourself.
>
> filter f_firewall {
> not (
> program ("firewall" flags(ignore-case))
> and (
> message("192\.168\.")
> or message("169\.254\.")
> )
> );
> };
You are bitten one nasty side effect of strings in the syslog-ng
configuration file, when using regexps. (maybe we should introduce a
Perl like syntax?).
So when using double quotes (as you do), the backslash is interpreted by
the syslog-ng config lexer (as an escape character), and then the result
is handed to the regexp engine.
This is different when you use apostrophes, in which case backslashes
are not treated specially.
message('192\.168\.') is equivalent to message("192\\.168\\.")
Also, if you only want to match fixed strings and you don't care about
regexps, you can also use:
message('192.168.' type(string) flags(substring))
which means that a substring matching is done but without treating it a
regexp, which is _much_ faster.
--
Bazsi
More information about the syslog-ng
mailing list