Hello friends, I am trying to match the following entry with syslog-ng 1.6.0rc4: Dec 11 15:25:10 log_source@pawan amavis[29961]: (29961-01-2) Passed, <syslog-ng-admin@lists.balabit.hu> -> <allanwind@lifeintegrity.com>, Message-ID: <20031211202502.22100.73262.Mailman@www.balabit.hu>, Hits: -1.364 And expected this to do the trick (after a bit of trial and error and checking the archives): match("^\\(.*Passed, ") and eventually match("^\\(\d+-\d+\\) Passed") however neither works. If I leave out "\\(" on the first match, it works as expected. Any ideas? /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
Allan Wind wrote:
Hello friends,
I am trying to match the following entry with syslog-ng 1.6.0rc4:
Dec 11 15:25:10 log_source@pawan amavis[29961]: (29961-01-2) Passed, <syslog-ng-admin@lists.balabit.hu> -> <allanwind@lifeintegrity.com>, Message-ID: <20031211202502.22100.73262.Mailman@www.balabit.hu>, Hits: -1.364
And expected this to do the trick (after a bit of trial and error and checking the archives):
match("^\\(.*Passed, ")
and eventually
match("^\\(\d+-\d+\\) Passed")
What is it that you are trying to match? Is it "(ddddd-dd-d) Passed"? i.e. parenthesis, 5 digits, hyphen, 2 digits, hypen, 1 digit, parenthesis, space and the word Passed? Jim
On 2003-12-16T09:52:46+0000, Jim Mozley wrote:
Allan Wind wrote:
Dec 11 15:25:10 log_source@pawan amavis[29961]: (29961-01-2) Passed, <syslog-ng-admin@lists.balabit.hu> -> <allanwind@lifeintegrity.com>, Message-ID: <20031211202502.22100.73262.Mailman@www.balabit.hu>, Hits: -1.364
[...]
What is it that you are trying to match?
Is it "(ddddd-dd-d) Passed"?
Good eyes. I am trying to be very specific and only match("^... Passed") which in this case probably works out to: match("[^:]+: \\([^\\)]\\) Passed, ") Perhaps we could document exactly what should be quoted? I mean, why is literal '(' written as '\\(' and not '\\\('? What charachters need to be quoted? Exactly what type of regex is supported, I did not manage getting \d working, but that could be because I got quoting wrong (is it \\d)? I noticed, that if you send a signal 1 to a running syslog-ng process asking it to load a syslog-ng.conf with syntax error, then the process dies. Should it just log something and refuse to load the new syslog-ng.conf instead? /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
Allan Wind wrote:
On 2003-12-16T09:52:46+0000, Jim Mozley wrote:
Allan Wind wrote:
Dec 11 15:25:10 log_source@pawan amavis[29961]: (29961-01-2) Passed, <syslog-ng-admin@lists.balabit.hu> -> <allanwind@lifeintegrity.com>, Message-ID: <20031211202502.22100.73262.Mailman@www.balabit.hu>, Hits: -1.364
[...]
What is it that you are trying to match?
Is it "(ddddd-dd-d) Passed"?
Good eyes. I am trying to be very specific and only match("^... Passed") which in this case probably works out to:
match("[^:]+: \\([^\\)]\\) Passed, ")
I have to confess I've not needed to match on anything other than a simple word yet in my syslog-ng.conf, but I'm fairly familiar with regex in general. I thought I'd look at this as I need to do a more complex match. The complex matches I use are in swatch and hence perl regex. Afraid I don't understand why you are trying to match in the way you are, for instance within the parentheses why not match [-0-9]+ or [-\d]+ if \d is supported?
Perhaps we could document exactly what should be quoted? I mean, why is literal '(' written as '\\(' and not '\\\('? What charachters need to be quoted? Exactly what type of regex is supported, I did not manage getting \d working, but that could be because I got quoting wrong (is it \\d)?
Sorry cannot help with this yet. I tried to find some info on what particular features syslog-ng regex supports and haven't so far. If I come across something I will post it. If there is anyone who can point to this in the doco or man pages please let me know; I haven't found it, haven't come across anything on google or the FAQ and the list archive isn't searchable unless I download the lot!
I noticed, that if you send a signal 1 to a running syslog-ng process asking it to load a syslog-ng.conf with syntax error, then the process dies. Should it just log something and refuse to load the new syslog-ng.conf instead?
I think there is a way around this. Try putting it on a test machine and using something like the -d option. It may be you can use a second config file using the -f option as a test file in conjunction with -d. Jim
On Wed, 2003-12-17 at 10:45, Jim Mozley wrote:
Good eyes. I am trying to be very specific and only match("^... Passed") which in this case probably works out to:
match("[^:]+: \\([^\\)]\\) Passed, ")
I have to confess I've not needed to match on anything other than a simple word yet in my syslog-ng.conf, but I'm fairly familiar with regex in general. I thought I'd look at this as I need to do a more complex match. The complex matches I use are in swatch and hence perl regex.
Afraid I don't understand why you are trying to match in the way you are, for instance within the parentheses why not match [-0-9]+ or [-\d]+ if \d is supported?
Perhaps we could document exactly what should be quoted? I mean, why is literal '(' written as '\\(' and not '\\\('? What charachters need to be quoted? Exactly what type of regex is supported, I did not manage getting \d working, but that could be because I got quoting wrong (is it \\d)?
Sorry cannot help with this yet. I tried to find some info on what particular features syslog-ng regex supports and haven't so far. If I come across something I will post it. If there is anyone who can point to this in the doco or man pages please let me know; I haven't found it, haven't come across anything on google or the FAQ and the list archive isn't searchable unless I download the lot!
syslog-ng supports extended regular expressions as provided by the libc. quoting is required due to a lexer which uses backslash as the escape operator, thus it needs to be escaped in itself. so if you wanted to write \d you'd have to write \\d (just like you have to do it in C) Since I'm using extended regular expressions '(' and ')' are special characters used for grouping, if you want literal parens, escape it: \\( or \\) (again the double backslashes are present because of the lexer)
I noticed, that if you send a signal 1 to a running syslog-ng process asking it to load a syslog-ng.conf with syntax error, then the process dies. Should it just log something and refuse to load the new syslog-ng.conf instead?
syslog-ng should not die in this case, if it does it is a bug. it should simply fall back to using the previous configuration. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On 2003-12-17T09:45:15+0000, Jim Mozley wrote:
Afraid I don't understand why you are trying to match in the way you are, for instance within the parentheses why not match [-0-9]+ or [-\d]+ if \d is supported?
I want to ensure that my regex matches the following prefix: "amavis[29961]: (29961-01-2) Passed, " as the tail of the event (as originally posted) may contain tainted data. It could work out to something like this, or as you suggested. program("^amavis") and ( match("^[^:]+: [\\(\\)\\d-]+ Passed, ") or ... ) Does program() contain the [pid] part? I.e. "amavis[29961]" in this example or just "amavis"? /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
On Thu, 2003-12-18 at 07:20, Allan Wind wrote:
Does program() contain the [pid] part? I.e. "amavis[29961]" in this example or just "amavis"?
just 'amavis' -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Allan Wind wrote:
On 2003-12-16T09:52:46+0000, Jim Mozley wrote:
Allan Wind wrote:
Dec 11 15:25:10 log_source@pawan amavis[29961]: (29961-01-2) Passed, <syslog-ng-admin@lists.balabit.hu> -> <allanwind@lifeintegrity.com>, Message-ID: <20031211202502.22100.73262.Mailman@www.balabit.hu>, Hits: -1.364
[...]
What is it that you are trying to match?
Is it "(ddddd-dd-d) Passed"?
Good eyes. I am trying to be very specific and only match("^... Passed") which in this case probably works out to:
Just came across something while googling. Do you really want something like: [untested] filter f_av_passed { program("amavis"); match("Passed"); }; Jim
On 2003-12-17T09:52:26+0000, Jim Mozley wrote:
filter f_av_passed { program("amavis"); match("Passed"); };
Thanks Jim, while that works, it is not specific enough for me. For instance, someone could send mail as user "Passed" and this filter would match it (I am matching on things that I do not want to see). /Allan -- Allan Wind P.O. Box 2022 Woburn, MA 01888-0022 USA
participants (3)
-
allanwind@lifeintegrity.com
-
Balazs Scheidler
-
Jim Mozley