Thanks Balint The patch was not quite complete (don't you hate copy and paste!) as it did not reference your new parser. A small fix, and it worked like a charm. Evan. ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balint Kovacs [balint.kovacs@balabit.com] Sent: Sunday, November 27, 2011 9:47 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Feature Request - patterndb match set Hi Evan, On 11/27/2011 06:10 AM, Evan Rempel wrote:

I have come across some odd lines that really can't be matched/parsed by the patterndb

2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module Size Used by 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26 1945576 0 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux 326280 1 mmfs26 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev 67148 2 mmf

I would like to match these and parse out the number. The catch is that the number is right justified which means that there is a variable number of spaces before the number.

I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.

Failing that I would propose that a @SET@ parser.

@SET:name:character set@

This will match a sequence of characters that contain any of, and only those characters listed by "character set"

This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be handled.

Comments?

Evan This is something I would have needed recently as well, I ran across the same problem with squid logs and padded usernames. STRING is not okay, since you can only extend the set of matched chars, not specify them and it will match the following tokens as well. I never tried to do a parser before, but it seemed quite easy, so I'm sending a patch in a separate thread that implements your idea and let's see what Bazsi thinks about it.

Balint ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

DDD ----- Original Message ----- From: Evan Rempel [mailto:erempel@uvic.ca] Sent: Sunday, November 27, 2011 07:25 PM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Feature Request - patterndb match set Thanks Balint The patch was not quite complete (don't you hate copy and paste!) as it did not reference your new parser. A small fix, and it worked like a charm. Evan. ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balint Kovacs [balint.kovacs@balabit.com] Sent: Sunday, November 27, 2011 9:47 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Feature Request - patterndb match set Hi Evan, On 11/27/2011 06:10 AM, Evan Rempel wrote:

I have come across some odd lines that really can't be matched/parsed by the patterndb

2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module Size Used by 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26 1945576 0 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux 326280 1 mmfs26 2011-11-25T10:49:21-08:00 mmfs@hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev 67148 2 mmf

I would like to match these and parse out the number. The catch is that the number is right justified which means that there is a variable number of spaces before the number.

I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.

Failing that I would propose that a @SET@ parser.

@SET:name:character set@

This will match a sequence of characters that contain any of, and only those characters listed by "character set"

This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be handled.

Comments?

Evan This is something I would have needed recently as well, I ran across the same problem with squid logs and padded usernames. STRING is not okay, since you can only extend the set of matched chars, not specify them and it will match the following tokens as well. I never tried to do a parser before, but it seemed quite easy, so I'm sending a patch in a separate thread that implements your idea and let's see what Bazsi thinks about it.

Balint ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq