[syslog-ng]stupid regexp question

[Michael Hargadon]

Good afternoon.

I use a linux box as a concentration point for the system logs of several NT
servers I monitor.  This is done through services running on the NT machine
which provide standard syslog functionality -- they forward any messages
written to the NT event log to a destination I specify.  The format in which
the messages are received is somewhat irritating, eg:

Jul 12 17:36:25 1.2.3.4 Thu Jul 12 17:34:00 2001: SOMEHOST/Security (528) -
"Successful Logon: User Name: xservice Domain: SOMEDOMAIN Logon ID:
(0x0,0x34616CAB) Logon Type: 3 Logon Process: NtLmSsp Authentication
Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:
SOMESTATION"

A large number of the messages we receive we'd prefer not to log to disk.  I
set up a destination pointing to /dev/null for this purpose. My intention is
to use regular expressions to separate useful messages from the useless (and
repetitive) ones.  As an example of the above, I defined a filter as
follows:

filter f_nt0001 { match("Security (528)"); };

As well as a log rule as follows:

log { source(src);  filter(f_nt0002); destination(null); };

However, I'm having issues getting the match rule to work.  I suspect it's
the parantheses, since AFAIK they're supposed to be a regexp-reserved
character.  If, however, I escape them with \( messages received which fall
into this category don't hit the filter.  I know there's something
fundamentally obvious that I'm overlooking here but I can't figure it out.
Can anyone offer any assistance?

Regards,
Michael Hargadon
mhargadon@itdepartment.com