[syslog-ng] Quick filter question
Lay, James
james.lay at wincofoods.com
Thu Nov 10 16:07:23 CET 2011
> -----Original Message-----
> From: Balazs Scheidler [mailto:bazsi at balabit.hu]
> Sent: Wednesday, November 09, 2011 1:36 PM
> To: Syslog-ng users' and developers' mailing list
> Cc: Lay, James
> Subject: Re: [syslog-ng] Quick filter question
>
> On Tue, 2011-11-08 at 11:56 -0700, Patrick H. wrote:
> > That might work, but what the order of operations is on boolean
> > operations (and/or) is, is unclear. In situations like that its always
> > best to explicitly force the order yourself.
> >
> > filter f_firewall {
> > not (
> > program ("firewall" flags(ignore-case))
> > and (
> > message("192\.168\.")
> > or message("169\.254\.")
> > )
> > );
> > };
>
> You are bitten one nasty side effect of strings in the syslog-ng
> configuration file, when using regexps. (maybe we should introduce a
> Perl like syntax?).
>
> So when using double quotes (as you do), the backslash is interpreted by
> the syslog-ng config lexer (as an escape character), and then the result
> is handed to the regexp engine.
>
> This is different when you use apostrophes, in which case backslashes
> are not treated specially.
>
> message('192\.168\.') is equivalent to message("192\\.168\\.")
>
> Also, if you only want to match fixed strings and you don't care about
> regexps, you can also use:
>
> message('192.168.' type(string) flags(substring))
>
> which means that a substring matching is done but without treating it a
> regexp, which is _much_ faster.
>
> --
> Bazsi
>
Thanks for the heads up and additional config information Bazsi..I really appreciate it.
James
More information about the syslog-ng
mailing list