Thanks a lot Kokan!!!!! I got the result :-) One more question For the following two %AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.200.210@pts/0:syslogtest:deleted user victor %AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.201.173@pts/0:syslogtest:added user victor I try to use the following regex to match the text in red color, it shows works. AAA-6-AAA_ACCOUNTING_MESSAGE: [a-zA-Z0-9]+:[0-9.]+@[a-zA-Z0-9]+\/[a-zA-Z0-9]+:[a-zA-Z0-9]+:[a-zA-Z]+ user Is there a simple way to math " update:10.94.200.210@pts/0:syslogtest:" Thank you very much again‼‼! VL -----Original Message----- From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of syslog-ng-request@lists.balabit.hu Sent: 2019, March, 01 7:00 AM To: syslog-ng@lists.balabit.hu Subject: syslog-ng Digest, Vol 167, Issue 1 Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu> To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu<mailto:syslog-ng-request@lists.balabit.hu> You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu<mailto:syslog-ng-owner@lists.balabit.hu> When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..." Today's Topics: 1. unofficial syslog-ng 3.20 packages for Debian/Ubuntu (Laszlo Budai) 2. Re: How to use regex in syslog-ng.conf (Péter) 3. Re: How to use regex in syslog-ng.conf (Fabien Wernli) ---------------------------------------------------------------------- Message: 1 Date: Fri, 1 Mar 2019 10:09:03 +0000 From: Laszlo Budai <laszlo.budai@outlook.com<mailto:laszlo.budai@outlook.com>> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: [syslog-ng] unofficial syslog-ng 3.20 packages for Debian/Ubuntu Message-ID: <VI1PR0601MB2237CC24E8908466F6ABC1B38E760@VI1PR0601MB2237.eurprd06.prod.outlook.com<mailto:VI1PR0601MB2237CC24E8908466F6ABC1B38E760@VI1PR0601MB2237.eurprd06.prod.outlook.com>> Content-Type: text/plain; charset="iso-8859-1" Hi, syslog-ng 3.20.1[1] packages are available in OBS repo[2]. List of supported OSs: * Debian 8.0 * Debian 9.0 [including armv7l] * Ubuntu 14.04 * Ubuntu 16.04 * Ubuntu 16.10 * Ubuntu 17.04 * Ubuntu 17.10 * Ubuntu 18.04 * Ubuntu 18.10 Install ------- example: Debian 9.0 1. get release key wget -qO - http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debi... | sudo apt-key add - 2. add repo to APT sources eg.: /etc/apt/sources.list.d/syslog-ng-obs.list deb http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debi... ./ Then `apt-get update` and `apt-get install syslog-ng-core` Links -------- [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.20.1 [2] https://build.opensuse.org/package/show/home:laszlo_budai:syslog-ng/syslog-n... regards, Laszlo Budai -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/2e2934b4/attachment-0001.html> ------------------------------ Message: 2 Date: Fri, 1 Mar 2019 11:34:00 +0100 From: Péter, Kókai <peter.kokai@oneidentity.com<mailto:peter.kokai@oneidentity.com>> To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf Message-ID: <CABxQCpjDdn3JSwA1btkF7GZGLX_De0qGq+i9GtOcz8JWjhgpzA@mail.gmail.com<mailto:CABxQCpjDdn3JSwA1btkF7GZGLX_De0qGq+i9GtOcz8JWjhgpzA@mail.gmail.com>> Content-Type: text/plain; charset="utf-8" Hello, Based on your example one possible solution could be: match("cmd=username [a-z]+ privilege 15" value("MESSAGE")); You could also check out the syslog-ng administrator guide, it covers a lot of possibilities: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... -- Kokan On Thu, Feb 28, 2019 at 3:50 PM Lin, Victor <victor.lin@rbc.com<mailto:victor.lin@rbc.com>> wrote:
Dear all,
I am trying to use regex in syslog-ng.conf without success L
Below is from my filter
match("cmd=username toto privilege 15", value("MESSAGE"));
could you please let me know how could I replace username toto with regex ? tried /w+ , but didn’t passing through
Thank you very much for your instruction!
VL
______________________________________________________________________ _
If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.
Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/7921ceb3/attachment-0001.html> ------------------------------ Message: 3 Date: Fri, 1 Mar 2019 12:50:50 +0100 From: Fabien Wernli <wernli@in2p3.fr<mailto:wernli@in2p3.fr>> To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf Message-ID: <20190301115050.hs3d5vjf27a7lwfe@ccfawe.in2p3.fr<mailto:20190301115050.hs3d5vjf27a7lwfe@ccfawe.in2p3.fr>> Content-Type: text/plain; charset="iso-8859-1" On Fri, Mar 01, 2019 at 11:34:00AM +0100, Péter, Kókai wrote:
Hello,
Based on your example one possible solution could be: match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));
You could also check out the syslog-ng administrator guide, it covers a lot of possibilities: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-sourc e-edition/3.20/administration-guide/63#TOPIC-1122022
also, prefer single quotes over double quotes: will make escaping easier -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2801 bytes Desc: not available URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/21433a6a/attachment-0001.bin> ------------------------------ Subject: Digest Footer _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu> https://lists.balabit.hu/mailman/listinfo/syslog-ng ------------------------------ End of syslog-ng Digest, Vol 167, Issue 1 ***************************************** _______________________________________________________________________ If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.