How do you use pcre named pattern matches with store-matches? I've been trying to do things like message("IP: (?<ip>\S+)" flags(store-matches) type("pcre")) and then insert into a database with things like values("$ip") or values("$+{ip}") and nothing works. I cant seem to find any examples of usage through google either.
After messing around with this for several days, I found the problems. 1) you can not use lowercase letters in the match name 2) there are reserved words where if you try to use it as the match name, it dorks everything up (like MSGID). This one had me ripping out my hair and pounding my head on the desk. Sent: Thursday, March 04, 2010 3:23:59 PM From: Patrick H. <syslogng@feystorm.net> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] pcre matches
How do you use pcre named pattern matches with store-matches? I've been trying to do things like message("IP: (?<ip>\S+)" flags(store-matches) type("pcre")) and then insert into a database with things like values("$ip") or values("$+{ip}") and nothing works. I cant seem to find any examples of usage through google either. ------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, Many thanks for reporting this, I'm sometimes blind for stuff that makes syslog-ng difficult to use, but improving these cases will certainly make the life easier for others. On Fri, 2010-03-05 at 17:42 -0700, Patrick H. wrote:
After messing around with this for several days, I found the problems. 1) you can not use lowercase letters in the match name 2) there are reserved words where if you try to use it as the match name, it dorks everything up (like MSGID). This one had me ripping out my hair and pounding my head on the desk.
when using a template, the '$' syntax prefers built-in macros over name-value pairs. this is for compatibility reasons.
Sent: Thursday, March 04, 2010 3:23:59 PM From: Patrick H. <syslogng@feystorm.net> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] pcre matches
How do you use pcre named pattern matches with store-matches? I've been trying to do things like message("IP: (?<ip>\S+)" flags(store-matches) type("pcre")) and then insert into a database with things like values("$ip") or values("$+{ip}") and nothing works. I cant seem to find any examples of usage through google either.
____________________________________________________________________
hmm.. you are right about the uppercase letters, although it dates back to when syslog-ng didn't have user-nameable Name-Value pairs. The brace syntax should work with either case though: ${ip} should work even with the current code. I don't know what you mean with $+{ip} though. I've committed this patch to allow non-capital letters in the non-braced syntax: commit 3bb6aee1a7448d9ec5e5436e7868fb62b1086a01 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sat Mar 6 10:19:26 2010 +0100 accept lower case letters as macro name even when not using braces To access all name-value pairs, the syntax ${macro_or_value} is preferred, especially if the value name contains a '.' character. However the old syntax $macro_or_value could also accept lower case letters, which it didn't without this patch. Reported-By: Patrick H. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Patrick H.