On Mon, Dec 19, 2005 at 09:59:04AM +0100, Balazs Scheidler wrote:
On Sat, 2005-12-17 at 22:14 +0100, Staszek Pitucha wrote:
Hello I've tried to setup some filters lately (v1.9.7). There's a problem with regex character ^. For example I want to filter out "Accepted password" and my home ip from sshd logs, so I setup:
filter f_sshd { (program("sshd") and not ( (match("Accepted password") and match("from 123\.456\.789\.012")) or // other rules )) or not program("sshd"); };
Works ok, but I want to filter only messages starting with "Accepted password", but "^Accepted password" doesn't work.
Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should work as a match pattern and it doesn't. (it should match only the "text" part of message, am I right?)
No, matches everything starting from the program name.
This isn't what I've observed in the past, but when I test now with 1.6.8 I see that this catches all the sshd messages: filter f_ssh_any { match("^sshd"); }; destination d_ssh_any { file("/tmp/ssh_any.log"); }; log { source(src); filter(f_ssh_any); destination(d_ssh_any); }; I remember when developing matches for 1.6.6 or 1.6.7 that the program name wasn't available when using the match() function. Did this change recently did I do something wrong back then? BTW, I've created a new FAQ item to help people with quoting and escaping in syslog-ng regexes. http://www.campin.net/syslog-ng/faq.html#escaping -- Nate "Humour is the great thing, the saving thing. The minute it crops up, all our irritations and resentments slip away and a sunny spirit takes their place" - Samuel Clemens