[syslog-ng]Quoting ( and ) in a match

Jim Mozley syslog-ng@lists.balabit.hu
Wed, 17 Dec 2003 09:45:15 +0000 

Allan Wind wrote:

> On 2003-12-16T09:52:46+0000, Jim Mozley wrote:
> 
>>Allan Wind wrote:
> 
> 
>>>Dec 11 15:25:10 log_source@pawan amavis[29961]: (29961-01-2) Passed,
>>><syslog-ng-admin@lists.balabit.hu> -> <allanwind@lifeintegrity.com>,
>>>Message-ID: <20031211202502.22100.73262.Mailman@www.balabit.hu>, Hits: 
>>>-1.364
> 
> 
> [...]
> 
> 
>>What is it that you are trying to match?
>>
>>Is it "(ddddd-dd-d) Passed"?
> 
> 
> Good eyes.  I am trying to be very specific and only match("^...
> Passed") which in this case probably works out to:
> 
> 	match("[^:]+: \\([^\\)]\\) Passed, ")

I have to confess I've not needed to match on anything other than a 
simple word yet in my syslog-ng.conf, but I'm fairly familiar with regex 
in general. I thought I'd look at this as I need to do a more complex 
match. The complex matches I use are in swatch and hence perl regex.

Afraid I don't understand why you are trying to match in the way you 
are, for instance within the parentheses why not match [-0-9]+ or [-\d]+ 
if \d is supported?


> Perhaps we could document exactly what should be quoted?  I mean, why is
> literal '(' written as '\\(' and not '\\\('?  What charachters need to
> be quoted?  Exactly what type of regex is supported, I did not manage
> getting \d working, but that could be because I got quoting wrong (is it
> \\d)?

Sorry cannot help with this yet. I tried to find some info on what 
particular features syslog-ng regex supports and haven't so far. If I 
come across something I will post it. If there is anyone who can point 
to this in the doco or man pages please let me know; I haven't found it, 
haven't come across anything on google or the FAQ and the list archive 
isn't searchable unless I download the lot!


> I noticed, that if you send a signal 1 to a running syslog-ng process
> asking it to load a syslog-ng.conf with syntax error, then the process
> dies.  Should it just log something and refuse to load the new
> syslog-ng.conf instead?

I think there is a way around this. Try putting it on a test machine and 
  using something like the -d option. It may be you can use a second 
config file using the -f option as a test file in conjunction with -d.

Jim