On 4/30/07, syslog-ng-request@lists.balabit.hu <syslog-ng-request@lists.balabit.hu> wrote:

Send syslog-ng mailing list submissions to
        syslog-ng@lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
         https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
        syslog-ng-request@lists.balabit.hu

You can reach the person managing the list at
        syslog-ng-owner@lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of syslog-ng digest..."

Today's Topics:

   1.  Re: syslog-ng Digest, Vol 24, Issue 32 (Fabian Pucciarelli)
   2. Re:  turn off case sensitivity for match regex filter
      (Balazs Scheidler)
   3. Re:  Re: syslog-ng Digest, Vol 24, Issue 32 (Balazs Scheidler)

----------------------------------------------------------------------

Message: 1
Date: Sun, 29 Apr 2007 10:25:18 -0600
From: "Fabian Pucciarelli" <fabiangp@gmail.com>
Subject: [syslog-ng] Re: syslog-ng Digest, Vol 24, Issue 32
To: syslog-ng@lists.balabit.hu
Message-ID:
        <1e6757090704290925n541deb73t13eace5731aced3b@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I have syslog ng writing to a mysql pipe and then a little script reading
the pipe and writing to the db. I currently receive many messages like the
following, I wonder if somenone can help me figure out what this message is
saying..... thanks.

| mailux | syslog   | notice   | notice | 2d   | 2007-04-13 | 01:16:40 |
syslog-ng | syslog-ng[30548]: Log statistics;
dropped='pipe(/tmp/mysql.pipe)=0', processed='center(queued)=40295',
processed='center(received)=13206', processed='destination(d_mysql)=40295',
processed='source(net_tcp)=0', processed='source(src)=8962',
processed='source(net_udp)=4244'  | 46674 |

On 4/29/07, syslog-ng-request@lists.balabit.hu <
syslog-ng-request@lists.balabit.hu> wrote:
>
> Send syslog-ng mailing list submissions to
>         syslog-ng@lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
>         syslog-ng-request@lists.balabit.hu
>
> You can reach the person managing the list at
>         syslog-ng-owner@lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of syslog-ng digest..."
>
>
> Today's Topics:
>
>    1. Re:  turn off case sensitivity for match regex filter
>       (Balazs Scheidler)
>    2. Re:  turn off case sensitivity for match regex filter (stucky)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 28 Apr 2007 12:42:06 +0200
> From: Balazs Scheidler <bazsi@balabit.hu>
> Subject: Re: [syslog-ng] turn off case sensitivity for match regex
>         filter
> To: Syslog-ng users' and developers' mailing list
>         <syslog-ng@lists.balabit.hu>
> Message-ID: < 1177756926.14925.17.camel@bzorp.balabit>
> Content-Type: text/plain
>
> On Sat, 2007-04-28 at 01:52 -0700, stucky wrote:
> > Guys
> >
> > Playing around with ng 2 and I started looking at the match filter
> > again.
> > Simple question that I cannot find an answer to anywhere on the net.
> > How do I turn off case sensitivity for the match target ?
> > I'd like the following line to match "error' or 'ERROR' or 'Error'
> >
> > filter logparse { match("error"); };
> >
> > but of course it only matches 'error' since by default regex is case
> > sensitive.
> > Basically I'm trying to emulate 'grep -i'
> > I guess I could do this :
> >
> > filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo
> > much simpler to turn off case sensitivity.
>
> Yes, you are right. But it's not currently possible. It should be
> however, I'll try to add it in the nearfuture.
>
> >
> > And while we're talking regex. Shouldn't the above line actually read
> > like this :
> >
> > filter logparse { match(".+error.+"); }; ?
> >
> > meaning "anything followed by 'error' followed by anything"
> > Both appear to work so I assume the first line is interpreted by
> > syslog-ng like the second line correct ?
>
> syslog-ng interprets "match" the same as grep, e.g. it does not care
> where the pattern is found. if you want to match the beginning or the
> end of line, you need to use explicit ^ and $ characters.
>
> --
> Bazsi
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 28 Apr 2007 12:44:04 -0700
> From: stucky < stucky101@gmail.com>
> Subject: Re: [syslog-ng] turn off case sensitivity for match regex
>         filter
> To: "Syslog-ng users' and developers' mailing list"
>         < syslog-ng@lists.balabit.hu>
> Message-ID:
>         <30997e260704281244g6f1225bfwc7da2b4e05fdfd9f@mail.gmail.com >
> Content-Type: text/plain; charset="utf-8"
>
> Baszi
>
> Cool. I'm in the middle of building a new infrastructure and would like to
> use this feature. I'm not a programmer but I assume adding this feature
> shouldn't be very hard at all right ?
> If you had a rough ETA that'd help me.
>
> thx
>
> On 4/28/07, Balazs Scheidler <bazsi@balabit.hu > wrote:
> >
> > On Sat, 2007-04-28 at 01:52 -0700, stucky wrote:
> > > Guys
> > >
> > > Playing around with ng 2 and I started looking at the match filter
> > > again.
> > > Simple question that I cannot find an answer to anywhere on the net.
> > > How do I turn off case sensitivity for the match target ?
> > > I'd like the following line to match "error' or 'ERROR' or 'Error'
> > >
> > > filter logparse { match("error"); };
> > >
> > > but of course it only matches 'error' since by default regex is case
> > > sensitive.
> > > Basically I'm trying to emulate 'grep -i'
> > > I guess I could do this :
> > >
> > > filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo
> > > much simpler to turn off case sensitivity.
> >
> > Yes, you are right. But it's not currently possible. It should be
> > however, I'll try to add it in the nearfuture.
> >
> > >
> > > And while we're talking regex. Shouldn't the above line actually read
> > > like this :
> > >
> > > filter logparse { match(".+error.+"); }; ?
> > >
> > > meaning "anything followed by 'error' followed by anything"
> > > Both appear to work so I assume the first line is interpreted by
> > > syslog-ng like the second line correct ?
> >
> > syslog-ng interprets "match" the same as grep, e.g. it does not care
> > where the pattern is found. if you want to match the beginning or the
> > end of line, you need to use explicit ^ and $ characters.
> >
> > --
> > Bazsi
> >
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> >
>
>
> --
> stucky
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070428/c3bdb0f9/attachment.html
>
> ------------------------------
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> End of syslog-ng Digest, Vol 24, Issue 32
> *****************************************
>

--
Regards,

Fabian Pucciarelli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070429/92be486d/attachment-0001.html

------------------------------

Message: 2
Date: Sun, 29 Apr 2007 19:21:11 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] turn off case sensitivity for match regex
        filter
To: Syslog-ng users' and developers' mailing list
        <syslog-ng@lists.balabit.hu>
Message-ID: < 1177867271.9878.11.camel@bzorp.balabit>
Content-Type: text/plain

On Sat, 2007-04-28 at 12:44 -0700, stucky wrote:
> Baszi
>
> Cool. I'm in the middle of building a new infrastructure and would
> like to use this feature. I'm not a programmer but I assume adding
> this feature shouldn't be very hard at all right ?
> If you had a rough ETA that'd help me.

attached patch implements it using perl-like syntax, e.g.:

filter f_case { match('(?i)regexp'); };

It works in all filters that use regexps (e.g. match, host, program,
etc) The regexp must begin with '(?' or otherwise the flag will not be
recognized.

Tomorrow's snapshot should contain it.

>From 47f53555268efb72ab8db2d620d7669b8e5dc7a4 Mon Sep 17 00:00:00 2001
From: Balazs Scheidler <bazsi@balabit.hu >
Date: Sun, 29 Apr 2007 18:53:46 +0200
Subject: [PATCH] added support for Perl-like regexp flags to support case-ignoring matches

2007-04-28  Balazs Scheidler <bazsi@balabit.hu >

        * src/filter.c (filter_re_compile): parse '(?i)' at the beginning of
        regexps as an ignore-case flag, just like Perl does
---
src/filter.c              |   34 +++++++++++++++++++++++++++++++---
tests/unit/test_filters.c |    5 +++++
2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/filter.c b/src/filter.c
index 8e19440..cf7e3aa 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -230,11 +230,39 @@ typedef struct _FilterRE
} FilterRE;

static gboolean
-filter_re_compile(const char *re, regex_t *regex)
+filter_re_compile(const gchar *re, regex_t *regex)
{
-  int rc;
+  gint rc;
+  const gchar *re_comp = re;
+  gint flags = REG_EXTENDED;

-  rc = regcomp(regex, re, REG_EXTENDED);
+  if (re[0] == '(' && re[1] == '?')
+    {
+      gint i;
+
+      for (i = 2; re[i] && re[i] != ')'; i++)
+        {
+          switch (re[i])
+            {
+            case 'i':
+              flags |= REG_ICASE;
+              break;
+            }
+        }
+      if (re[i])
+        {
+          re_comp = &re[i + 1];
+        }
+      else
+        {
+          msg_error("Invalid regexp flags",
+                    evt_tag_str("re", re),
+                    NULL);
+          return FALSE;
+        }
+    }
+
+  rc = regcomp(regex, re_comp, flags);
   if (rc)
     {
       gchar buf[256];
diff --git a/tests/unit/test_filters.c b/tests/unit/test_filters.c
index 58236d7..187b572 100644
--- a/tests/unit/test_filters.c
+++ b/tests/unit/test_filters.c
@@ -137,11 +137,16 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED)

   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^host$"), 1);
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^hos$"), 0);
+  testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("pthread"), 0);
   fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n");
   TEST_ASSERT(filter_host_new("((") == NULL);

+  fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n");
+  TEST_ASSERT(filter_host_new("(?iana") == NULL);
+
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new(" PTHREAD "), 1);
   testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("^PTHREAD$"), 0);
+  testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("(?i)pthread"), 1);
   fprintf(stderr, "One \"invalid regular expression\" message is to be expected\n");
   TEST_ASSERT(filter_match_new("((") == NULL);

--
Bazsi

------------------------------

Message: 3
Date: Sun, 29 Apr 2007 19:24:51 +0200
From: Balazs Scheidler <bazsi@balabit.hu>
Subject: Re: [syslog-ng] Re: syslog-ng Digest, Vol 24, Issue 32
To: Syslog-ng users' and developers' mailing list
        <syslog-ng@lists.balabit.hu>
Message-ID: <1177867491.9878.16.camel@bzorp.balabit>
Content-Type: text/plain

On Sun, 2007-04-29 at 10:25 -0600, Fabian Pucciarelli wrote:
> I have syslog ng writing to a mysql pipe and then a little script
> reading the pipe and writing to the db. I currently receive many
> messages like the following, I wonder if somenone can help me figure
> out what this message is saying..... thanks.
>
>
> | mailux | syslog   | notice   | notice | 2d   | 2007-04-13 | 01:16:40
> | syslog-ng | syslog-ng[30548]: Log statistics;
> dropped='pipe(/tmp/mysql.pipe)=0', processed='center(queued)=40295',
> processed='center(received)=13206',
> processed='destination(d_mysql)=40295', processed='source(net_tcp)=0',
> processed='source(src)=8962', processed='source(net_udp)=4244'  |
> 46674 |

This contains the various message counters that syslog-ng maintains
internally.

'processed' counters just count how much messages were processed at the
given point, 'dropped' counters indicate how much log messages were
dropped by syslog-ng itself.

The string in the parenthesis tell were the given counter is counting
inside syslog-ng.

'center' is the main log message dispatching mechanism, it received
13206 messages from various sources and then sent 40295 messages out,
e.g. you are probably sending individual messages to multiple
destinations.

You have two sources, one named 'src' generated 8962, the other called
'net_udp' 4244 messages.

--
Bazsi

------------------------------

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng

End of syslog-ng Digest, Vol 24, Issue 33
*****************************************