[syslog-ng]stupid regexp question

Hamilton, Andrew Mr RAYTHEON 5 SIG CMD HamiltonA@hq.5sigcmd.army.mil
Fri, 13 Jul 2001 07:09:05 +0200


Michael,

Your format is annoying and make take some tweaking of your filters to get
around.  Syslog-ng, as you know, does various types of matching, on the
program, the host, the message, etc, there are different functions that do
those things.  For the message portion there is match(), for the program
portion there is program(), and for host there is host(), you get the idea.
I think you are matching a field other than the message when you are using
the match function.  It's hard to be sure since I'm not familiar with the NT
logging format, but that is what I am guessing.  Try using one of the other
functions to match your expression.  Another way you might get a handle on
the structure as syslog-ng sees the messages is to use a destination that
structures the messages using the DEFAULT filter and the macros, $HOST,
$FACILITY, $PRIORITY, etc that will tell you the format of the message so
you can filter out the way syslog-ng sees it.  In version 1.5.X there is
also the template() function that lets you format the output from syslog-ng
however you want.

Hope this helps.

Regards,
Drew

-----Original Message-----
From: Michael Hargadon [mailto:MHargadon@ITDepartment.com]
Sent: Thursday, July 12, 2001 11:41 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]stupid regexp question


Good afternoon.

I use a linux box as a concentration point for the system logs of several NT
servers I monitor.  This is done through services running on the NT machine
which provide standard syslog functionality -- they forward any messages
written to the NT event log to a destination I specify.  The format in which
the messages are received is somewhat irritating, eg:

Jul 12 17:36:25 1.2.3.4 Thu Jul 12 17:34:00 2001: SOMEHOST/Security (528) -
"Successful Logon: User Name: xservice Domain: SOMEDOMAIN Logon ID:
(0x0,0x34616CAB) Logon Type: 3 Logon Process: NtLmSsp Authentication
Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:
SOMESTATION"

A large number of the messages we receive we'd prefer not to log to disk.  I
set up a destination pointing to /dev/null for this purpose. My intention is
to use regular expressions to separate useful messages from the useless (and
repetitive) ones.  As an example of the above, I defined a filter as
follows:

filter f_nt0001 { match("Security (528)"); };

As well as a log rule as follows:

log { source(src);  filter(f_nt0002); destination(null); };

However, I'm having issues getting the match rule to work.  I suspect it's
the parantheses, since AFAIK they're supposed to be a regexp-reserved
character.  If, however, I escape them with \( messages received which fall
into this category don't hit the filter.  I know there's something
fundamentally obvious that I'm overlooking here but I can't figure it out.
Can anyone offer any assistance?

Regards,
Michael Hargadon
mhargadon@itdepartment.com

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng