[syslog-ng]filtering with regexp
Balazs Scheidler
bazsi@balabit.hu
Fri, 19 Apr 2002 09:01:53 +0200
On Thu, Apr 18, 2002 at 01:06:32PM -0700, mar tin wrote:
> Hello :)
> When cron runs, it sends the following lines
> Apr 18 16:50:01 martinII PAM_unix[26181]: (cron)
> session opened for user smmsp by (uid=0)
> Apr 18 16:50:01 martinII PAM_unix[26182]: (cron)
> session opened for user runa by (uid=0)
> Apr 18 16:50:01 martinII PAM_unix[26183]: (cron)
> session opened for user runa by (uid=0)
> Apr 18 16:50:02 martinII PAM_unix[26181]: (cron)
> session closed for user smmsp
> Apr 18 16:50:25 martinII PAM_unix[26183]: (cron)
> session closed for user runa
> Apr 18 16:50:27 martinII PAM_unix[26182]: (cron)
> session closed for user runa
>
> I want to filter those lines and send them to other
> files, so I did:
>
> filter f_cron2{match("(cron) session opened");};
> log { source(src); filter(f_cron2);
> destination(cron);};
>
> but it sends the lines to auth.log!
>
> what am I doing wrong?
match() expects an extended regular expression, thus '(' and ')' are
interpreted as special characters. You need to escape them via '\', but as
this is the escape character in the string, you need to double the backslash
like:
match("\\(cron\\) session opened")
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1