Hello,

By simple you mean you want a more compact regular expression ?

Just shortening you could do something like this: "AAA-6-AAA_ACCOUNTING_MESSAGE: [^@]+@[^:]+:[^:]+:[a-zA-Z]+ user"

But this would match your example fine: "AAA-6-AAA_ACCOUNTING_MESSAGE: .+:[a-zA-Z]+ user".

Do you have pattern that you do not want to match ? Is there any description about the message format that you want to match ? As I would try to build a regex for that instead guessing.

--
Kokan

On Sat, Mar 2, 2019 at 11:28 PM Lin, Victor <victor.lin@rbc.com> wrote:
Thanks a lot Kokan!!!!!
 
I got the result :-)
 
One more question
For the following two
%AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.200.210@pts/0:syslogtest:deleted user victor
%AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.201.173@pts/0:syslogtest:added user victor
 
I try to use the following regex to match the text in red color, it shows works.
 
AAA-6-AAA_ACCOUNTING_MESSAGE: [a-zA-Z0-9]+:[0-9.]+@[a-zA-Z0-9]+\/[a-zA-Z0-9]+:[a-zA-Z0-9]+:[a-zA-Z]+ user
 
Is there a simple way to math  " update:10.94.200.210@pts/0:syslogtest:"
 
Thank you very much again‼‼!
 
VL
 
-----Original Message-----
From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of syslog-ng-request@lists.balabit.hu
Sent: 2019, March, 01 7:00 AM
To: syslog-ng@lists.balabit.hu
Subject: syslog-ng Digest, Vol 167, Issue 1
 
Send syslog-ng mailing list submissions to
 
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
 
You can reach the person managing the list at
 
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
 
 
Today's Topics:
 
   1.  unofficial syslog-ng 3.20 packages for Debian/Ubuntu
      (Laszlo Budai)
   2. Re:  How to use regex in syslog-ng.conf (Péter)
   3. Re:  How to use regex in syslog-ng.conf (Fabien Wernli)
 
 
----------------------------------------------------------------------
 
Message: 1
Date: Fri, 1 Mar 2019 10:09:03 +0000
From: Laszlo Budai <laszlo.budai@outlook.com>
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] unofficial syslog-ng 3.20 packages for
        Debian/Ubuntu
Message-ID:
       
Content-Type: text/plain; charset="iso-8859-1"
 
Hi,
 
 
syslog-ng 3.20.1[1] packages are available in OBS repo[2].
 
List of supported OSs:
* Debian 8.0
* Debian 9.0 [including armv7l]
* Ubuntu 14.04
* Ubuntu 16.04
* Ubuntu 16.10
* Ubuntu 17.04
* Ubuntu 17.10
* Ubuntu 18.04
* Ubuntu 18.10
 
 
Install
-------
 
example: Debian 9.0
 
1. get release key
 
2. add repo to APT sources
eg.: /etc/apt/sources.list.d/syslog-ng-obs.list
 
Then `apt-get update` and `apt-get install syslog-ng-core`
 
 
Links
--------
 
 
regards,
Laszlo Budai
-------------- next part --------------
An HTML attachment was scrubbed...
 
------------------------------
 
Message: 2
Date: Fri, 1 Mar 2019 11:34:00 +0100
From: Péter, Kókai <peter.kokai@oneidentity.com>
To: "Syslog-ng users' and developers' mailing list"
Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf
Message-ID:
Content-Type: text/plain; charset="utf-8"
 
Hello,
 
Based on your example one possible solution could be: match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));
 
You could also check out the syslog-ng administrator guide, it covers a lot of possibilities:
 
 
--
Kokan
 
On Thu, Feb 28, 2019 at 3:50 PM Lin, Victor <victor.lin@rbc.com> wrote:
 
> Dear all,
>
> I am trying to use regex in syslog-ng.conf without success L
>
> Below is from my filter
>
> match("cmd=username toto privilege 15", value("MESSAGE"));
>
> could you please let me know how could I replace username toto with
> regex ? tried /w+  , but didn’t passing through
>
> Thank you very much for your instruction!
>
> VL
>
>
>
>
> ______________________________________________________________________
> _
>
> If you received this email in error, please advise the sender (by
> return email or otherwise) immediately. You have consented to receive
> the attached electronically at the above-noted email address; please
> retain a copy of this confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser
> l'expéditeur immédiatement, par retour de courriel ou par un autre
> moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par
> voie électronique à l'adresse courriel indiquée ci-dessus; veuillez
> conserver une copie de cette confirmation pour les fins de reference future.
>
>
> ______________________________________________________________________
> ________ Member info:
> Documentation:
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
 
------------------------------
 
Message: 3
Date: Fri, 1 Mar 2019 12:50:50 +0100
From: Fabien Wernli <wernli@in2p3.fr>
To: "Syslog-ng users' and developers' mailing list"
Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf
Content-Type: text/plain; charset="iso-8859-1"
 
On Fri, Mar 01, 2019 at 11:34:00AM +0100, Péter, Kókai wrote:
> Hello,
>
> Based on your example one possible solution could be:
> match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));
>
> You could also check out the syslog-ng administrator guide, it covers
> a lot of possibilities:
> e-edition/3.20/administration-guide/63#TOPIC-1122022
 
also, prefer single quotes over double quotes: will make escaping easier
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2801 bytes
Desc: not available
 
------------------------------
 
Subject: Digest Footer
 
_______________________________________________
 
 
------------------------------
 
End of syslog-ng Digest, Vol 167, Issue 1
*****************************************
 

_______________________________________________________________________

If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.

Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq