problem with matching IP address and \d regex operand
I am using this regular expression with Kiwi Syslog to distribute messages to several destinations based on the last number of the third octet (0-4 goes one place, 5-9 goes another). "10\.\d+\.\d*[0-4]\." This doesn't work with syslog-ng, of course, but based on my research of the archives, this should do the same thing because I've escaped the "\d" match("10\.\\d+\.\\d*[0-4]\.") Nope, I get nothing. I've shortened it to just match("10\.\\d+") and still get no matching messages. This sort of works, but gives some unexpected results: match("10\.[0-9]+\.[0-9]*[0-4]\.") The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this log message. I didn't expect a match on 10.87.48.4 from it because of the '8' as the last number of the third octet not matching '0-4' Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033 So, I have two questions..... What's wrong with this: match("10\.\\d+\.\\d*[0-4]\.") And why did this match("10\.[0-9]+\.[0-9]*[0-4]\.") match this Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033 Thanks! Phil <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
Hi, I don't know much about regexps, but couldn't you cover this with the netmask() filter? Regards, Robert Phil.Newlon@wendysarbys.com wrote:
I am using this regular expression with Kiwi Syslog to distribute messages to several destinations based on the last number of the third octet (0-4 goes one place, 5-9 goes another).
"10\.\d+\.\d*[0-4]\."
This doesn't work with syslog-ng, of course, but based on my research of the archives, this should do the same thing because I've escaped the "\d"
match("10\.\\d+\.\\d*[0-4]\.")
Nope, I get nothing. I've shortened it to just
match("10\.\\d+")
and still get no matching messages.
This sort of works, but gives some unexpected results:
match("10\.[0-9]+\.[0-9]*[0-4]\.")
The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this log message. I didn't expect a match on 10.87.48.4 from it because of the '8' as the last number of the third octet not matching '0-4'
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
So, I have two questions.....
What's wrong with this:
match("10\.\\d+\.\\d*[0-4]\.")
And why did this match("10\.[0-9]+\.[0-9]*[0-4]\.") match this Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
Thanks!
Phil <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
The netmask() filter won't work for me because I have forwarding devices between the originating devices and the syslog-ng server. [9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers] -> [1 syslog-ng server] -> [4 RSA Envision collectors] netmask() sees the eight kiwi servers, not the originating device. I need to distribute the 9000 originating devices across the four RSA devices, so the only way I can see to do that is with a match(IP regex). Thanks, Phil |------------> | From: | |------------>
--------------------------------------------------------------------------------------------------------------------------------------------------| |Robert Fekete <frobert@balabit.com> | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |10/30/2009 06:21 AM | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [syslog-ng] problem with matching IP address and \d regex operand | --------------------------------------------------------------------------------------------------------------------------------------------------|
Hi, I don't know much about regexps, but couldn't you cover this with the netmask() filter? Regards, Robert Phil.Newlon@wendysarbys.com wrote:
I am using this regular expression with Kiwi Syslog to distribute
messages
to several destinations based on the last number of the third octet (0-4 goes one place, 5-9 goes another).
"10\.\d+\.\d*[0-4]\."
This doesn't work with syslog-ng, of course, but based on my research of the archives, this should do the same thing because I've escaped the "\d"
match("10\.\\d+\.\\d*[0-4]\.")
Nope, I get nothing. I've shortened it to just
match("10\.\\d+")
and still get no matching messages.
This sort of works, but gives some unexpected results:
match("10\.[0-9]+\.[0-9]*[0-4]\.")
The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this log message. I didn't expect a match on 10.87.48.4 from it because of the '8' as the last number of the third octet not matching '0-4'
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
So, I have two questions.....
What's wrong with this:
match("10\.\\d+\.\\d*[0-4]\.")
And why did this match("10\.[0-9]+\.[0-9]*[0-4]\.") match this Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
Thanks!
Phil <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
------------------------------------------------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
Granted I haven't used Kiwi in a few years and I'm sure it's much better than it was (I hear they finally added multi-core support), but if you've got under 50,000 events per second, couldn't you just go [9000 originating devices] -> [1 syslog-ng server] -> [4 RSA Envision collectors] or, if you've really got that many events, [9000 originating devices] -> [F5 load balancer] -> [2 syslog-ng servers] -> [4 RSA Envision collectors] in short, what do you need the Kiwi servers for? Also, I'm using Cisco server load balancing (available in many IOS versions) to distribute logs across multiple Syslog-NG instances, and it works very well for providing both load balancing and high availability. That may save you from having to use the F5 if you're not using it for anything else. --Martin On Fri, Oct 30, 2009 at 8:59 AM, <Phil.Newlon@wendysarbys.com> wrote:
The netmask() filter won't work for me because I have forwarding devices between the originating devices and the syslog-ng server.
[9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers] -> [1 syslog-ng server]
-> [4 RSA Envision collectors]
netmask() sees the eight kiwi servers, not the originating device. I need to distribute the 9000 originating devices across the four RSA devices, so the only way I can see to do that is with a match(IP regex).
Thanks,
Phil
[image: Inactive hide details for Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover]Robert Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but couldn't you cover this with the netmask()
From: Robert Fekete <frobert@balabit.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Date: 10/30/2009 06:21 AM Subject: Re: [syslog-ng] problem with matching IP address and \d regex operand ------------------------------
Hi,
I don't know much about regexps, but couldn't you cover this with the netmask() filter?
Regards,
Robert
Phil.Newlon@wendysarbys.com wrote:
I am using this regular expression with Kiwi Syslog to distribute
messages
to several destinations based on the last number of the third octet (0-4 goes one place, 5-9 goes another).
"10\.\d+\.\d*[0-4]\."
This doesn't work with syslog-ng, of course, but based on my research of the archives, this should do the same thing because I've escaped the "\d"
match("10\.\\d+\.\\d*[0-4]\.")
Nope, I get nothing. I've shortened it to just
match("10\.\\d+")
and still get no matching messages.
This sort of works, but gives some unexpected results:
match("10\.[0-9]+\.[0-9]*[0-4]\.")
The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this log message. I didn't expect a match on 10.87.48.4 from it because of the '8' as the last number of the third octet not matching '0-4'
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
So, I have two questions.....
What's wrong with this:
match("10\.\\d+\.\\d*[0-4]\.")
And why did this match("10\.[0-9]+\.[0-9]*[0-4]\.") match this Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
Thanks!
Phil <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
------------------------------------------------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
*Notice:* This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. or one of its subsidiaries and may contain confidential or legally privileged information intended solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or distribution of this message or its attachments is strictly prohibited. If you received this message in error, please notify the sender and delete this message entirely from your system.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Martin -
in short, what do you need the Kiwi servers for?
The (8) Kiwi boxes terminate Kiwi Secure Tunnel connections from 1450 locations, where the 9000 devices reside. I've thought about sending the streams from the Kiwis directly to the Envision boxes, but I never know which Kiwi the stream from location 1234 will come from so I will not know which RSA it will end up in. (The F5s distribute the connections, the originating systems reboot every night, who knows where the tunnel will end up from one day to another.) We cannot exceed 3500 individual devices on the RSAs, so we have to be able to explicitly control the streams, thus syslog-ng :-) All I DO know is that the originating IP is always in the syslog message, so if I can match on a characteristic that will evenly split the streams I am good to go. Thanks, Phil <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
On Thu, 2009-10-29 at 16:40 -0400, Phil.Newlon@wendysarbys.com wrote:
I am using this regular expression with Kiwi Syslog to distribute messages to several destinations based on the last number of the third octet (0-4 goes one place, 5-9 goes another).
"10\.\d+\.\d*[0-4]\."
This doesn't work with syslog-ng, of course, but based on my research of the archives, this should do the same thing because I've escaped the "\d"
match("10\.\\d+\.\\d*[0-4]\.")
Nope, I get nothing. I've shortened it to just
match("10\.\\d+")
and still get no matching messages.
syslog-ng uses the system regexp lib (on Linux, the one in libc), are you sure it supports \d ? syslog-ng uses extended regexp, e.g. the equivalent your egrep command is using. And, for me egrep doesn't understand \d: $ echo '10' | egrep '\d+' || echo not found not found whereas: $ echo '10' | egrep '[0-9]+' && echo found 10 found In the documentation of egrep I've found these named character sets: """ Finally, certain named classes of characters are predefined within bracket expressions, as follows. Their names are self explanatory, and they are [:alnum:], [:alpha:], [:cntrl:], [:digit:], [:graph:], [:lower:], [:print:], [:punct:], [:space:], [:upper:], and [:xdigit:]. For example, [[:alnum:]] means [0-9A-Za-z], except the latter form depends upon the C locale and the ASCII character encoding, whereas the former is independent of locale and character set. (Note that the brackets in these class names are part of the symbolic names, and must be included in addition to the brackets delimiting the bracket expression.) Most meta-characters lose their special meaning inside bracket expressions. To include a literal ] place it first in the list. Similarly, to include a literal ^ place it anywhere but first. Finally, to include a literal - place it last. """ E.g. you might have wanted to say, instead of \d $ echo '10' | egrep '[[:digit:]]+' && echo found 10 found Also, I can see that you tried to escape the dot, right after "10", but you only used a single escape, which escapes for syslog-ng, but doesn't embed a backslash for the regexp parser. This reminds me to an unrelated note, that if you use single quotes in syslog-ng, you don't need to escape the backslash, e.g. match("\\.") is equivalent to match('\.') Another unrelated note is that syslog-ng supports PCRE regular expressions if you have that compiled in, PCRE supports \d, and you can use it like this: match('10\.\d+' type(pcre));
This sort of works, but gives some unexpected results:
match("10\.[0-9]+\.[0-9]*[0-4]\.")
The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this log message. I didn't expect a match on 10.87.48.4 from it because of the '8' as the last number of the third octet not matching '0-4'
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
So, I have two questions.....
What's wrong with this:
match("10\.\\d+\.\\d*[0-4]\.")
And why did this match("10\.[0-9]+\.[0-9]*[0-4]\.") match this Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538 Security pos User Success Audit POS0408748 Logon/Logoff User Logoff: User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
Thanks!
Phil
Notice: This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. or one of its subsidiaries and may contain confidential or legally privileged information intended solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or distribution of this message or its attachments is strictly prohibited. If you received this message in error, please notify the sender and delete this message entirely from your system. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
Bazsi - Thank you for taking the time to look at my situation.
Also, I can see that you tried to escape the dot, right after "10", but you only used a single escape, which escapes for syslog-ng, but doesn't embed a backslash for the regexp parser.
"10\.\d+\.\d*[0-4]\." (kiwi) -> "10\.\\d+\.\\d*[0-4]\." (syslog-ng) I am escaping a literal "." in the IP address (I want to match on "10." specifically.)
This reminds me to an unrelated note, that if you use single quotes in syslog-ng, you don't need to escape the backslash, e.g.
match("\\.") is equivalent to match('\.')
This is great to know! Sure cleans up some of my filters. Thanks!
Another unrelated note is that syslog-ng supports PCRE regular expressions if you have that compiled in, PCRE supports \d, and you can use it like this:
match('10\.\d+' type(pcre));
Unfortunately, this didn't work either, so PCRE must not be compiled in on my system. However, THIS works!, '10\.[[:digit:]]+\.[[:digit:]]*[0-4]\.' Thanks again! Phil <span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span> <span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span> <span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span> <span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span> <span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
participants (4)
-
Balazs Scheidler
-
Martin Holste
-
Phil.Newlon@wendysarbys.com
-
Robert Fekete