[syslog-ng]stupid regexp question

Michael Hargadon MHargadon@ITDepartment.com
Thu, 12 Jul 2001 17:41:13 -0400

Good afternoon.

I use a linux box as a concentration point for the system logs of several NT
servers I monitor.  This is done through services running on the NT machine
which provide standard syslog functionality -- they forward any messages
written to the NT event log to a destination I specify.  The format in which
the messages are received is somewhat irritating, eg:

Jul 12 17:36:25 Thu Jul 12 17:34:00 2001: SOMEHOST/Security (528) -
"Successful Logon: User Name: xservice Domain: SOMEDOMAIN Logon ID:
(0x0,0x34616CAB) Logon Type: 3 Logon Process: NtLmSsp Authentication

A large number of the messages we receive we'd prefer not to log to disk.  I
set up a destination pointing to /dev/null for this purpose. My intention is
to use regular expressions to separate useful messages from the useless (and
repetitive) ones.  As an example of the above, I defined a filter as

filter f_nt0001 { match("Security (528)"); };

As well as a log rule as follows:

log { source(src);  filter(f_nt0002); destination(null); };

However, I'm having issues getting the match rule to work.  I suspect it's
the parantheses, since AFAIK they're supposed to be a regexp-reserved
character.  If, however, I escape them with \( messages received which fall
into this category don't hit the filter.  I know there's something
fundamentally obvious that I'm overlooking here but I can't figure it out.
Can anyone offer any assistance?

Michael Hargadon