<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello,<div><br></div><div>Based on your example one possible solution could be: match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));</div><div><br></div><div>You could also check out the syslog-ng administrator guide, it covers a lot of possibilities: <a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/63#TOPIC-1122022">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/63#TOPIC-1122022</a></div><div><br></div><div><br></div><div>--</div><div>Kokan</div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 28, 2019 at 3:50 PM Lin, Victor <<a href="mailto:victor.lin@rbc.com">victor.lin@rbc.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<font face="Calibri" size="2"><span style="font-size:11pt">
<div>Dear all,</div>
<div><font face="Times New Roman"> </font></div>
<div>I am trying to use regex in syslog-ng.conf without success <font face="Wingdings">L</font></div>
<div><font face="Times New Roman"> </font></div>
<div>Below is from my filter</div>
<div><font face="Times New Roman"> </font></div>
<div> match("cmd=username toto privilege 15", value("MESSAGE"));</div>
<div><font face="Times New Roman"> </font></div>
<div>could you please let me know how could I replace username toto with regex ? tried /w+ , but didn’t passing through</div>
<div> </div>
<div>Thank you very much for your instruction!</div>
<div> </div>
<div>VL</div>
<div><font face="Times New Roman"> </font></div>
<div><font face="Times New Roman"> </font></div>
<div><font face="Times New Roman"> </font></div>
</span></font>
<p><font style="font-size:9pt">_______________________________________________________________________</font></p>
<p><font style="font-size:9pt">If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.</font></p>
<p><font style="font-size:9pt">Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future. </font></p>
<p></p></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>