Re: [syslog-ng] MySQL syslog-ng regex
Thanks Bazsi, I'd appreciate if you could send me a patch. Currently, I need to parse upto 18 arguments to before inserting into MySQL database. muchas gracius. ----- Original Message ---- From: Balazs Scheidler <bazsi@balabit.hu> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Sent: Thursday, March 1, 2007 2:38:32 AM Subject: Re: [syslog-ng] MySQL syslog-ng regex On Thu, 2007-03-01 at 10:24 +0000, Hari Sekhon wrote:
one more thought, did you try ${10} or something?
This works in shell so it's worth a try.
currently syslog-ng supports max $9. It's not too difficult to add more, I'll look into it. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html ____________________________________________________________________________________ Need Mail bonding? Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=list&sid=396546091
I understand regex just fin, I don't need a reference to regular expressions, but I can't find any reference in the syslog-ng documentation to using the $1..$9 syntax for template creation and how that works if multiple filters are used/matched and what regex syntax is supported such as .{5,419}test(ed|ing) syslog Any reference would be good :-) -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
Using the $1 .. $n syntax for back substitution into the template can be problematic when multiple filter functions are used. For example, if I wanted to make a template that used the short hostname and a portion of a message I could use host(^([^\.]+)\.) and use $1 to get the short hostname match(bad login from ([^ ]+) ) and use $1 to get the ip address that originated the login. The final filter would be filter fail_login { host(^([^\.]+)\.) and match(bad login from ([^ ]+) ); }; To create a template that used both of these, I need to use $1 twice :-( Suggestion: allow syntax that specified user definable macro names for expansion. host("^([^\.]+)\." fullmatch shorthost) match("bad login from ([^ ]+) " fullmatch ip) and the filter becomes filter fail_login { host("^([^\.]+)\." shorthost) and match("bad login from ([^ ]+) " ip); }; and then a template can be written as template my_template{ template("$ISODATE $HOST $shorthost is being attacked from $ip\n"); template_escape(no)); }; The "fullmatch" is in keeping with the regexp matching syntax of many languages. An additional concern is that users might attempt to use new macronames that conflict with existing ones, but that should be easy to handle. -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria
On Thu, 2007-03-01 at 10:07 -0800, Evan Rempel wrote:
Suggestion:
allow syntax that specified user definable macro names for expansion.
host("^([^\.]+)\." fullmatch shorthost) match("bad login from ([^ ]+) " fullmatch ip)
and the filter becomes filter fail_login { host("^([^\.]+)\." shorthost) and match("bad login from ([^ ]+) " ip); };
and then a template can be written as
template my_template{ template("$ISODATE $HOST $shorthost is being attacked from $ip\n"); template_escape(no)); };
The "fullmatch" is in keeping with the regexp matching syntax of many languages.
An additional concern is that users might attempt to use new macronames that conflict with existing ones, but that should be easy to handle.
I like this idea. -- Bazsi
I want to have applications feeding logs into syslog-ng and have the option of using sockets or pipes. Can anyone provide info (preferably a reference) to the differences between sockets and pipes, and unix_stream/dgram? I'm finding it difficult to find a "beginners guide" to these basic structures. Evan.
On Thu, 2007-03-01 at 20:31 +0300, Fat Wallet wrote:
Thanks Bazsi, I'd appreciate if you could send me a patch. Currently, I need to parse upto 18 arguments to before inserting into MySQL database.
I've just committed a patch that should make syslog-ng capable of using up to 255 regexp matches. You need to use the shell-like ${NNN} syntax, e.g. to get the 13th match, use: ${13} It should be available in tomorrow's snapshot. In the same patch I also reorganized an internal data structure somewhat so some testing is more than welcome. (basically the structure was shrunk somewhat and I tried to avoid double-dereferences for certain structure members for more CPU cache friendlyness) -- Bazsi
participants (3)
-
Balazs Scheidler
-
Evan Rempel
-
Fat Wallet