Hello I've tried to setup some filters lately (v1.9.7). There's a problem with regex character ^. For example I want to filter out "Accepted password" and my home ip from sshd logs, so I setup: filter f_sshd { (program("sshd") and not ( (match("Accepted password") and match("from 123\.456\.789\.012")) or // other rules )) or not program("sshd"); }; Works ok, but I want to filter only messages starting with "Accepted password", but "^Accepted password" doesn't work. Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should work as a match pattern and it doesn't. (it should match only the "text" part of message, am I right?) TIA
On Sat, 2005-12-17 at 22:14 +0100, Staszek Pitucha wrote:
Hello I've tried to setup some filters lately (v1.9.7). There's a problem with regex character ^. For example I want to filter out "Accepted password" and my home ip from sshd logs, so I setup:
filter f_sshd { (program("sshd") and not ( (match("Accepted password") and match("from 123\.456\.789\.012")) or // other rules )) or not program("sshd"); };
Works ok, but I want to filter only messages starting with "Accepted password", but "^Accepted password" doesn't work.
Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should work as a match pattern and it doesn't. (it should match only the "text" part of message, am I right?)
No, matches everything starting from the program name. -- Bazsi
Balazs Scheidler wrote:
No, matches everything starting from the program name.
I think reference should say that more clearly... Table�3.12.�Available filter functions in syslog-ng : ... match() match(regexp) Tries to match a regular expression to the message itself. ... Or - as program itself can be regexp'ed alone maybe it could match the real message contents only?
On Mon, Dec 19, 2005 at 09:59:04AM +0100, Balazs Scheidler wrote:
On Sat, 2005-12-17 at 22:14 +0100, Staszek Pitucha wrote:
Hello I've tried to setup some filters lately (v1.9.7). There's a problem with regex character ^. For example I want to filter out "Accepted password" and my home ip from sshd logs, so I setup:
filter f_sshd { (program("sshd") and not ( (match("Accepted password") and match("from 123\.456\.789\.012")) or // other rules )) or not program("sshd"); };
Works ok, but I want to filter only messages starting with "Accepted password", but "^Accepted password" doesn't work.
Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should work as a match pattern and it doesn't. (it should match only the "text" part of message, am I right?)
No, matches everything starting from the program name.
This isn't what I've observed in the past, but when I test now with 1.6.8 I see that this catches all the sshd messages: filter f_ssh_any { match("^sshd"); }; destination d_ssh_any { file("/tmp/ssh_any.log"); }; log { source(src); filter(f_ssh_any); destination(d_ssh_any); }; I remember when developing matches for 1.6.6 or 1.6.7 that the program name wasn't available when using the match() function. Did this change recently did I do something wrong back then? BTW, I've created a new FAQ item to help people with quoting and escaping in syslog-ng regexes. http://www.campin.net/syslog-ng/faq.html#escaping -- Nate "Humour is the great thing, the saving thing. The minute it crops up, all our irritations and resentments slip away and a sunny spirit takes their place" - Samuel Clemens
On Mon, 2005-12-19 at 14:12 -0800, Nate Campi wrote:
On Mon, Dec 19, 2005 at 09:59:04AM +0100, Balazs Scheidler wrote:
On Sat, 2005-12-17 at 22:14 +0100, Staszek Pitucha wrote:
This isn't what I've observed in the past, but when I test now with 1.6.8 I see that this catches all the sshd messages:
filter f_ssh_any { match("^sshd"); }; destination d_ssh_any { file("/tmp/ssh_any.log"); }; log { source(src); filter(f_ssh_any); destination(d_ssh_any); };
I remember when developing matches for 1.6.6 or 1.6.7 that the program name wasn't available when using the match() function. Did this change recently did I do something wrong back then?
I haven't changed this for ages. The last change in src/log.c was in January 13th 2004, and it was only a couple of warning fixes for HP-UX. The patch before that is 2003/10/15 the change on 2004/01/13 is released with 1.6.2 the change on 2003/10/15 is released with 1.6.1 But IIRC this is the behaviour that was implemented originally and was not changed since. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Nate Campi
-
Staszek Pitucha