I am trying to use syslog-ng to reduce certain types of logging. I have scoured the web looking for information on the supposed regex support in syslog-ng, but the only thing I have really found mention of is the "match" keyword that matches a simple string. What I wanted to know is if syslog-ng supports either posix or perl style regular expressions. If not, has anyone found any other effective method of reducing logs using regex with an external program? (that could be used with the "program" keyword perhaps?) Thanks in advance, -- ____________________________________________ Joe Reeves Security Engineer II, IDS Regions Technology Risk Management Office: 334-956-6189 joe.reeves@regions.com ____________________________________________ "Wisdom is knowing what to do with what you know." -- J. Winter Smith
On Thursday 08 July 2004 17:56, Joe.Reeves@Regions.com wrote:
syslog-ng, but the only thing I have really found mention of is the "match" keyword that matches a simple string. What I wanted to know is if syslog-ng supports either posix or perl style regular expressions.
From syslog-ng.conf(5): * program(regexp to match program name) * host(regexp to match program name) * match(regexp to match program name) From source file filter.c: regerr = regcomp(regex, re, REG_NOSUB | REG_EXTENDED); And from regex(3): REG_EXTENDED Use POSIX Extended Regular Expression syntax when interpreting regex. If not set, POSIX Basic Regular Expression syntax is used. -- bana@sitadelle.com
On Thu, Jul 08, 2004 at 06:50:32PM +0200, Xavier Lapie wrote:
On Thursday 08 July 2004 17:56, Joe.Reeves@Regions.com wrote:
syslog-ng, but the only thing I have really found mention of is the "match" keyword that matches a simple string. What I wanted to know is if syslog-ng supports either posix or perl style regular expressions.
From syslog-ng.conf(5):
* program(regexp to match program name) * host(regexp to match program name) * match(regexp to match program name)
From source file filter.c:
regerr = regcomp(regex, re, REG_NOSUB | REG_EXTENDED);
And from regex(3):
REG_EXTENDED Use POSIX Extended Regular Expression syntax when interpreting regex. If not set, POSIX Basic Regular Expression syntax is used.
I've only had to use simple regexps in my match() expressions, and it always worked well. See some simple examples in the sample config files linked off the FAQ page (each post to this list has the URL of the FAQ). -- Nate To do the actual install you have to be root, but none of the normal build should require that. Don't take the name of root in vain. - /usr/src/linux/README
participants (3)
-
Joe.Reeves@Regions.com
-
Nate Campi
-
Xavier Lapie