I'm trying to setup central syslog-ng server for my Exchange servers. On windows servers I use Epilog agent (brother of Snare) forwarding tracking logs to central syslog.
Say the format is: filed1\011field2\011, so fields in String are separated by '\011'.
I tried:
filter f_parse { match("([^\\011]*)\\011([^\\011]*)\\011"); };
Is this your last filter? The message remembers the matches of the last filter only so you have to ensure that this regexp is executed last.
Thanks for your answer Bazsi. Finally i got it. Obviously I have used bad regexp. Exchange tracking log uses tabs as delimiters. But when I saved $MSG string to text log, tabs was changed to '\011'. So now I changed my regexp to use tabs as delimiters: filter f_parsing { match("([^\t]*)\t([^\t]*)\t"); }; This works like charm and saves first two tab delimited fields (date and time in this case) to $1 and $2. I will wrote some HOWTO when i finish the configuration completely. Thaks for your time. Jan