As I understand it, contains only looks for a single string, while == has the
ability to match any of several stings
so you can't say contains [ list of values ]
but you can say == [ list of values ]
I think it would be a useful enhancement to main contains able to match any of a
list instead of requiring if foo conains bar or foo contains baz
David Lang
On Mon, 16 Dec 2019, Peter Viskup via rsyslog wrote:
Date: Mon, 16 Dec 2019 09:45:43 +0100
From: Peter Viskup via rsyslog <[email protected]>
To: rsyslog-users <[email protected]>
Cc: Peter Viskup <[email protected]>
Subject: [rsyslog] string match filter 'contains' vs. '=='
Running rsyslog 8.1901.0-1 and it seems there is some difference in
processing these two filters.
On the input there is message which is parsed with hostname property set to
the IP address exactly. The match with use of 'contains' is not effective,
while '==' is.
Is this expected result?
Message example (message is forwarded):
<133>1 2019-12-13T14:57:36.227429+01:00 10.1.2.5 - - 2019 Dec 13 13:57:36
UTC: %AUTHPRIV-5-SYSTEM_MSG: root : TTY=unknown ;
PWD=/var/sysmgr/sysmgr-subproc ; USER=root ; COMMAND=/sbin/sysctl -q -w
vm.drop_caches=3 - sudo
# with debug
Debug line with all properties:
FROMHOST: '10.1.2.3', fromhost-ip: '10.1.2.3', HOSTNAME: '10.1.2.5', PRI:
133,
syslogtag '', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-',
filters:
# does not work
if $hostname contains ['10.1.2.4', '10.1.2.5'] then
# does work
if $hostname contains ['10.1.2.4', '10.1.2.5'] or $hostname == '10.1.2.5'
then
Following issue is experienced on this message samples. Other properly
formatted messages from 10.1.2.4 are matched with no issues. There are no
other type of messages coming from 10.1.2.5 address.
Peter
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
