<html><body>
<p><tt>The netmask() filter won't work for me because I have forwarding devices between the originating devices and the syslog-ng server.</tt><br>
<br>
<tt>[9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers] -> [1 syslog-ng server]</tt><br>
<tt> -> [4 RSA Envision collectors]</tt><br>
<br>
<tt>netmask() sees the eight kiwi servers, not the originating device. I need to distribute the 9000 originating devices across the four RSA devices, so the only way I can see to do that is with a match(IP regex).</tt><br>
<br>
<tt>Thanks,</tt><br>
<br>
<tt>Phil</tt><br>
<br>
<br>
<img width="16" height="16" src="cid:1__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt="Inactive hide details for Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover"><font color="#424282">Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover this with the netmask()</font><br>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2" color="#5F5F5F">From:</font></td><td width="100%"><img width="1" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2">Robert Fekete <frobert@balabit.com></font></td></tr>
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2" color="#5F5F5F">To:</font></td><td width="100%"><img width="1" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2">Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu></font></td></tr>
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2" color="#5F5F5F">Date:</font></td><td width="100%"><img width="1" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2">10/30/2009 06:21 AM</font></td></tr>
<tr valign="top"><td width="1%"><img width="96" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2" color="#5F5F5F">Subject:</font></td><td width="100%"><img width="1" height="1" src="cid:2__=0ABBFCCCDFDB3A978f9e8a93df938@wendys.com" border="0" alt=""><br>
<font size="2">Re: [syslog-ng] problem with matching IP address and \d regex operand</font></td></tr>
</table>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<br>
<tt>Hi,<br>
<br>
I don't know much about regexps, but couldn't you cover this with the netmask()<br>
filter?<br>
<br>
Regards,<br>
<br>
Robert<br>
<br>
Phil.Newlon@wendysarbys.com wrote:<br>
<br>
> <br>
> I am using this regular expression with Kiwi Syslog to distribute messages<br>
> to several destinations based on the last number of the third octet (0-4<br>
> goes one place, 5-9 goes another).<br>
> <br>
> "10\.\d+\.\d*[0-4]\."<br>
> <br>
> This doesn't work with syslog-ng, of course, but based on my research of<br>
> the archives, this should do the same thing because I've escaped the "\d"<br>
> <br>
> match("10\.\\d+\.\\d*[0-4]\.")<br>
> <br>
> Nope, I get nothing. I've shortened it to just<br>
> <br>
> match("10\.\\d+")<br>
> <br>
> and still get no matching messages.<br>
> <br>
> This sort of works, but gives some unexpected results:<br>
> <br>
> match("10\.[0-9]+\.[0-9]*[0-4]\.")<br>
> <br>
> The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this<br>
> log message. I didn't expect a match on 10.87.48.4 from it because of the<br>
> '8' as the last number of the third octet not matching '0-4'<br>
> <br>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4<br>
> MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009<br>
> 538 Security pos User Success Audit POS0408748<br>
> Logon/Logoff User Logoff: User Name: pos Domain:<br>
> POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033<br>
> <br>
> <br>
> <br>
> So, I have two questions.....<br>
> <br>
> What's wrong with this:<br>
> <br>
> match("10\.\\d+\.\\d*[0-4]\.")<br>
> <br>
> And why did this<br>
> match("10\.[0-9]+\.[0-9]*[0-4]\.")<br>
> match this<br>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20<br>
> 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29<br>
> 16:31:17 2009 538 Security pos User Success Audit<br>
> POS0408748 Logon/Logoff User Logoff: User Name: pos<br>
> Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3<br>
> 42921033<br>
> <br>
> Thanks!<br>
> <br>
> Phil<br>
> <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span><br>
> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span><br>
> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span><br>
> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span><br>
> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span><br>
> <br>
> <br>
> ------------------------------------------------------------------------<br>
> <br>
> ______________________________________________________________________________<br>
> Member info: </tt><tt><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
> Documentation: </tt><tt><a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></tt><tt><br>
> FAQ: </tt><tt><a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></tt><tt><br>
> <br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: </tt><tt><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></tt><tt><br>
Documentation: </tt><tt><a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></tt><tt><br>
FAQ: </tt><tt><a href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a></tt><tt><br>
<br>
</tt><br>
<br>
</body></html>
<pre><span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
<span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
<span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
<span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
<span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>