turn off case sensitivity for match regex filter
Guys Playing around with ng 2 and I started looking at the match filter again. Simple question that I cannot find an answer to anywhere on the net. How do I turn off case sensitivity for the match target ? I'd like the following line to match "error' or 'ERROR' or 'Error' filter logparse { match("error"); }; but of course it only matches 'error' since by default regex is case sensitive. Basically I'm trying to emulate 'grep -i' I guess I could do this : filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo much simpler to turn off case sensitivity. And while we're talking regex. Shouldn't the above line actually read like this : filter logparse { match(".+error.+"); }; ? meaning "anything followed by 'error' followed by anything" Both appear to work so I assume the first line is interpreted by syslog-ng like the second line correct ? Help is appreciated stucky
On Sat, 2007-04-28 at 01:52 -0700, stucky wrote:
Guys
Playing around with ng 2 and I started looking at the match filter again. Simple question that I cannot find an answer to anywhere on the net. How do I turn off case sensitivity for the match target ? I'd like the following line to match "error' or 'ERROR' or 'Error'
filter logparse { match("error"); };
but of course it only matches 'error' since by default regex is case sensitive. Basically I'm trying to emulate 'grep -i' I guess I could do this :
filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo much simpler to turn off case sensitivity.
Yes, you are right. But it's not currently possible. It should be however, I'll try to add it in the nearfuture.
And while we're talking regex. Shouldn't the above line actually read like this :
filter logparse { match(".+error.+"); }; ?
meaning "anything followed by 'error' followed by anything" Both appear to work so I assume the first line is interpreted by syslog-ng like the second line correct ?
syslog-ng interprets "match" the same as grep, e.g. it does not care where the pattern is found. if you want to match the beginning or the end of line, you need to use explicit ^ and $ characters. -- Bazsi
Baszi Cool. I'm in the middle of building a new infrastructure and would like to use this feature. I'm not a programmer but I assume adding this feature shouldn't be very hard at all right ? If you had a rough ETA that'd help me. thx On 4/28/07, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Sat, 2007-04-28 at 01:52 -0700, stucky wrote:
Guys
Playing around with ng 2 and I started looking at the match filter again. Simple question that I cannot find an answer to anywhere on the net. How do I turn off case sensitivity for the match target ? I'd like the following line to match "error' or 'ERROR' or 'Error'
filter logparse { match("error"); };
but of course it only matches 'error' since by default regex is case sensitive. Basically I'm trying to emulate 'grep -i' I guess I could do this :
filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo much simpler to turn off case sensitivity.
Yes, you are right. But it's not currently possible. It should be however, I'll try to add it in the nearfuture.
And while we're talking regex. Shouldn't the above line actually read like this :
filter logparse { match(".+error.+"); }; ?
meaning "anything followed by 'error' followed by anything" Both appear to work so I assume the first line is interpreted by syslog-ng like the second line correct ?
syslog-ng interprets "match" the same as grep, e.g. it does not care where the pattern is found. if you want to match the beginning or the end of line, you need to use explicit ^ and $ characters.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- stucky
On Sat, 2007-04-28 at 12:44 -0700, stucky wrote:
Baszi
Cool. I'm in the middle of building a new infrastructure and would like to use this feature. I'm not a programmer but I assume adding this feature shouldn't be very hard at all right ? If you had a rough ETA that'd help me.
attached patch implements it using perl-like syntax, e.g.: filter f_case { match('(?i)regexp'); }; It works in all filters that use regexps (e.g. match, host, program, etc) The regexp must begin with '(?' or otherwise the flag will not be recognized. Tomorrow's snapshot should contain it.
From 47f53555268efb72ab8db2d620d7669b8e5dc7a4 Mon Sep 17 00:00:00 2001 From: Balazs Scheidler <bazsi@balabit.hu> Date: Sun, 29 Apr 2007 18:53:46 +0200 Subject: [PATCH] added support for Perl-like regexp flags to support case-ignoring matches
2007-04-28 Balazs Scheidler <bazsi@balabit.hu> * src/filter.c (filter_re_compile): parse '(?i)' at the beginning of regexps as an ignore-case flag, just like Perl does --- src/filter.c | 34 +++++++++++++++++++++++++++++++--- tests/unit/test_filters.c | 5 +++++ 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/src/filter.c b/src/filter.c index 8e19440..cf7e3aa 100644 --- a/src/filter.c +++ b/src/filter.c @@ -230,11 +230,39 @@ typedef struct _FilterRE } FilterRE; static gboolean -filter_re_compile(const char *re, regex_t *regex) +filter_re_compile(const gchar *re, regex_t *regex) { - int rc; + gint rc; + const gchar *re_comp = re; + gint flags = REG_EXTENDED; - rc = regcomp(regex, re, REG_EXTENDED); + if (re[0] == '(' && re[1] == '?') + { + gint i; + + for (i = 2; re[i] && re[i] != ')'; i++) + { + switch (re[i]) + { + case 'i': + flags |= REG_ICASE; + break; + } + } + if (re[i]) + { + re_comp = &re[i + 1]; + } + else + { + msg_error("Invalid regexp flags", + evt_tag_str("re", re), + NULL); + return FALSE; + } + } + + rc = regcomp(regex, re_comp, flags); if (rc) { gchar buf[256]; diff --git a/tests/unit/test_filters.c b/tests/unit/test_filters.c index 58236d7..187b572 100644 --- a/tests/unit/test_filters.c +++ b/tests/unit/test_filters.c @@ -137,11 +137,16 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED) testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^host$"), 1); testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^hos$"), 0); + testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("pthread"), 0); fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n"); TEST_ASSERT(filter_host_new("((") == NULL); + fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n"); + TEST_ASSERT(filter_host_new("(?iana") == NULL); + testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new(" PTHREAD "), 1); testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("^PTHREAD$"), 0); + testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("(?i)pthread"), 1); fprintf(stderr, "One \"invalid regular expression\" message is to be expected\n"); TEST_ASSERT(filter_match_new("((") == NULL); -- Bazsi
Thanks very much for the quick fix ! I tried today's snapshot and it seems to work. regards On 4/29/07, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Sat, 2007-04-28 at 12:44 -0700, stucky wrote:
Baszi
Cool. I'm in the middle of building a new infrastructure and would like to use this feature. I'm not a programmer but I assume adding this feature shouldn't be very hard at all right ? If you had a rough ETA that'd help me.
attached patch implements it using perl-like syntax, e.g.:
filter f_case { match('(?i)regexp'); };
It works in all filters that use regexps (e.g. match, host, program, etc) The regexp must begin with '(?' or otherwise the flag will not be recognized.
Tomorrow's snapshot should contain it.
From 47f53555268efb72ab8db2d620d7669b8e5dc7a4 Mon Sep 17 00:00:00 2001 From: Balazs Scheidler <bazsi@balabit.hu> Date: Sun, 29 Apr 2007 18:53:46 +0200 Subject: [PATCH] added support for Perl-like regexp flags to support case-ignoring matches
2007-04-28 Balazs Scheidler <bazsi@balabit.hu>
* src/filter.c (filter_re_compile): parse '(?i)' at the beginning of regexps as an ignore-case flag, just like Perl does --- src/filter.c | 34 +++++++++++++++++++++++++++++++--- tests/unit/test_filters.c | 5 +++++ 2 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/src/filter.c b/src/filter.c index 8e19440..cf7e3aa 100644 --- a/src/filter.c +++ b/src/filter.c @@ -230,11 +230,39 @@ typedef struct _FilterRE } FilterRE;
static gboolean -filter_re_compile(const char *re, regex_t *regex) +filter_re_compile(const gchar *re, regex_t *regex) { - int rc; + gint rc; + const gchar *re_comp = re; + gint flags = REG_EXTENDED;
- rc = regcomp(regex, re, REG_EXTENDED); + if (re[0] == '(' && re[1] == '?') + { + gint i; + + for (i = 2; re[i] && re[i] != ')'; i++) + { + switch (re[i]) + { + case 'i': + flags |= REG_ICASE; + break; + } + } + if (re[i]) + { + re_comp = &re[i + 1]; + } + else + { + msg_error("Invalid regexp flags", + evt_tag_str("re", re), + NULL); + return FALSE; + } + } + + rc = regcomp(regex, re_comp, flags); if (rc) { gchar buf[256]; diff --git a/tests/unit/test_filters.c b/tests/unit/test_filters.c index 58236d7..187b572 100644 --- a/tests/unit/test_filters.c +++ b/tests/unit/test_filters.c @@ -137,11 +137,16 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED)
testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^host$"), 1); testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("^hos$"), 0); + testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_host_new("pthread"), 0); fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n"); TEST_ASSERT(filter_host_new("((") == NULL);
+ fprintf(stderr, "One \"invalid regular expressions\" message is to be expected\n"); + TEST_ASSERT(filter_host_new("(?iana") == NULL); + testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new(" PTHREAD "), 1); testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("^PTHREAD$"), 0); + testcase("<15>Oct 15 16:17:01 host openvpn[2499]: PTHREAD support initialized", 0, filter_match_new("(?i)pthread"), 1); fprintf(stderr, "One \"invalid regular expression\" message is to be expected\n"); TEST_ASSERT(filter_match_new("((") == NULL);
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- stucky
participants (2)
-
Balazs Scheidler
-
stucky