Re: [syslog-ng] Regexp values in comparison

29 Mar 2011

      Thank you, Robert.

I guess since I only have syslog-ng OSE 3.0.10-1.rhel5 this regexp comparison stuff won't work anyway - that's a pity.
I have to use CentOS 5 - do you know some yum repository providing newer OSE versions then 3.0.10-1.rhel5, e. g. OSE 3.3 or 3.2?

Regards,
Roland

-----Ursprüngliche Nachricht-----
Von: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] Im Auftrag von Fekete Robert
Gesendet: Dienstag, 29. März 2011 11:57
An: Syslog-ng users' and developers' mailing list
Betreff: Re: [syslog-ng] Regexp values in comparison

Hi,
yes, you can do such things in syslog-ng OSE 3.2 and 3.3, but not in earlier 
versions.

Check out 
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-gui... 
for details.

Regards,
Robert

On 03/29/2011 10:27 AM, Roland Kamke wrote:
...
A newbie question: Is it possible to use values matching a regular expression in
a comparison?
Imagine I receive messges like this: "Disk usage is 60%", "Disk usage is 80%",
etc. All match the regular expression "Disk usage is [0-9]+%". I do not want to
log all these messages, but only those where disk usage is at least 75 per cent.
Can this be achieved by proper configuration?
Where to look in the documentation?
Currently I am stuck with this approch:
parser p_disk {
csv-parser(columns("fix.disk","fix.usage", "fix.is", "diskusage")
delimiters(" %")
);
};
filter f_disk_syntax {
message("Disk usage is [0-9]+%");
};
filter f_disk_usage { "$diskusage" > "75" };
log l_mylog {
source(...);
filter(f_disk_syntax);
parser(p_disk);
filter(f_disk_usage);
destination(...);
};
Is this a useful approach? Can it be accomplished with fewer definitions?
The definition of f_disk_usage results in a syntax error. What would be the
right syntax?
filter f_disk_usage { "$diskusage" > "75" };
filter f_disk_usage { "$diskusage" ge "75" };
filter f_disk_usage { value("diskusage") > "75" };
filter f_disk_usage { "$diskusage" > 75};
filter f_disk_usage { "${diskusage}" > "75" };
filter f_disk_usage { ${diskusage} > "75" };
Will I need to set up a pattern database to get rid of all unwanted messages?
Thank you
Roland
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html