I think you've nailed it here. My understanding is that Syslog-NG does it's own backslash escaping before passing the string to the regex engine which then does the regex backslash escaping. That means you need to double your backslash in those cases. I've also found this to be the case for periods and carrots. If you do '\.' it will still match any character as syslog-ng strips the first backslash before passing through the regex. To match a real period you need to do '\\.' (same with '\^', to match a real carrot you need '\\^'). I don't remember if, or how well, this is documented. I know it kicked my butt pretty good until I figured out that I needed to backslash escape the backslash escape in a regex, though. Specifically, when using single escaped periods, I was getting bitten with IP address regex's that were inexplicably matching things they shouldn't be. -- Christopher Cashell Fegan, Joe did thus speak on 10/1/2008 10:23 AM:
Maybe you need to quote the \ to pass it through to lower layers. Just a thought. Try this:
filter f_conn_from_unk_private { not match("unknown\\\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Len Conrad Sent: 01 October 2008 13:57 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] escaping \[ not respected
Hello,
targeted string is "unknown[a.b.c.d]"
my filter:
filter f_conn_from_unk_private { not match ("unknown\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
error:
Error compiling regular expression; re='[(10.1.|10.2.|10.10.5.|192.168.200)', error='brackets ([ ]) not balanced'
I can't confirm this behaviour, as the following does work for me:
filter f_internal_statistics { match("^syslog-ng\[[[:digit:]]+.: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics"); };
What syslog-ng version are you using? Mine is 2.0.9
Installed with FreeBSD pkg_add from freshports.org, pkg_info shows:
"syslog-ng2-2.0.9_1 A powerful syslogd replacement"
I conclude that I've found a bug in the parsing of the escape sequence "\[" , and will look for a work around.
thanks, Len
______________________________________________ IMGate OpenSource Mail Firewall www.IMGate.net
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html