Maybe you need to quote the \ to pass it through to lower layers. Just a thought. Try this: filter f_conn_from_unk_private { not match("unknown\\\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); }; -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Len Conrad Sent: 01 October 2008 13:57 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] escaping \[ not respected
Hello,
targeted string is "unknown[a.b.c.d]"
my filter:
filter f_conn_from_unk_private { not match ("unknown\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
error:
Error compiling regular expression; re='[(10.1.|10.2.|10.10.5.|192.168.200)', error='brackets ([ ]) not balanced'
I can't confirm this behaviour, as the following does work for me:
filter f_internal_statistics { match("^syslog-ng\[[[:digit:]]+.: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics"); };
What syslog-ng version are you using? Mine is 2.0.9
Installed with FreeBSD pkg_add from freshports.org, pkg_info shows: "syslog-ng2-2.0.9_1 A powerful syslogd replacement" I conclude that I've found a bug in the parsing of the escape sequence "\[" , and will look for a work around. thanks, Len ______________________________________________ IMGate OpenSource Mail Firewall www.IMGate.net ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html