Re: [syslog-ng] Converting filtering from 2.1 to 3.0?

On Mon, 2010-09-27 at 10:05 -0700, Matthew Hall wrote:
> Hi Bazsi,
>
> On Mon, Sep 27, 2010 at 03:07:31PM +0200, Balazs Scheidler wrote:
> > Mathew, where did you see the erroneous example? I couldn't find any?
>
> Sorry for the confusion. Let me try to say it differently from before.
>
> I was not saying the example must be erroneous, just that what Alan said
> and what the example did conflicted with each other. If Alan is right
> that you must have special markers on the variables passed to match,
> then this example from the HTML is wrong:
>
> filter demo_filter { host("example") and match("deny" value("MESSAGE")); };
>
> Because it does not put $ or ${} which Alan believed necessary for it to
> work. Alternatively, Alan made a mistake thinking these chars were
> mandatory. I think both the doc and Alan can't be right at the same
> time.
>
> So I was trying to get confirmation from Balabit about it.

No need for the "$", it was intentionally not put there as value is not
a template. e.g. you can't write this:

match("deny" value("$MSGHDR$MSG"));

syslog-ng 3.1 gives you a warning if you use '$' in the value but will
work correctly. 3.0 is not this forgiving, it'll simply not work.

-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

• This message: [ Message body ]
• Next message: Balazs Scheidler: "Re: [syslog-ng] one more sshd rule"
• Previous message: Balazs Scheidler: "Re: [syslog-ng] Buffering AF_UNIX Destination, Batch Post Processing Messages"
• In reply to: Matthew Hall: "Re: [syslog-ng] Converting filtering from 2.1 to 3.0?"
• Next in thread: Worsham, Michael: "Re: [syslog-ng] Converting filtering from 2.1 to 3.0?"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]