Hi David,
If I understand you correctly, I'm using 'contains' frequently and it works
fine for me in this way.
I'm currently running rsyslogd 8.1911.0.
ex.
if ($fromhost contains ['test','test2','test3'] ) then {
}
On Mon, Dec 16, 2019 at 1:57 PM David Lang via rsyslog <
[email protected]> wrote:
> As I understand it, contains only looks for a single string, while == has
> the
> ability to match any of several stings
>
> so you can't say contains [ list of values ]
>
> but you can say == [ list of values ]
>
> I think it would be a useful enhancement to main contains able to match
> any of a
> list instead of requiring if foo conains bar or foo contains baz
>
> David Lang
>
> On Mon, 16 Dec 2019, Peter Viskup via rsyslog wrote:
>
> > Date: Mon, 16 Dec 2019 09:45:43 +0100
> > From: Peter Viskup via rsyslog <[email protected]>
> > To: rsyslog-users <[email protected]>
> > Cc: Peter Viskup <[email protected]>
> > Subject: [rsyslog] string match filter 'contains' vs. '=='
> >
> > Running rsyslog 8.1901.0-1 and it seems there is some difference in
> > processing these two filters.
> >
> > On the input there is message which is parsed with hostname property set
> to
> > the IP address exactly. The match with use of 'contains' is not
> effective,
> > while '==' is.
> > Is this expected result?
> >
> > Message example (message is forwarded):
> > <133>1 2019-12-13T14:57:36.227429+01:00 10.1.2.5 - - 2019 Dec 13
> 13:57:36
> > UTC: %AUTHPRIV-5-SYSTEM_MSG: root : TTY=unknown ;
> > PWD=/var/sysmgr/sysmgr-subproc ; USER=root ; COMMAND=/sbin/sysctl -q -w
> > vm.drop_caches=3 - sudo
> > # with debug
> > Debug line with all properties:
> > FROMHOST: '10.1.2.3', fromhost-ip: '10.1.2.3', HOSTNAME: '10.1.2.5', PRI:
> > 133,
> > syslogtag '', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-',
> >
> > filters:
> > # does not work
> > if $hostname contains ['10.1.2.4', '10.1.2.5'] then
> > # does work
> > if $hostname contains ['10.1.2.4', '10.1.2.5'] or $hostname == '10.1.2.5'
> > then
> >
> > Following issue is experienced on this message samples. Other properly
> > formatted messages from 10.1.2.4 are matched with no issues. There are no
> > other type of messages coming from 10.1.2.5 address.
> >
> > Peter
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
