[syslog-ng]Quoting ( and ) in a match

Balazs Scheidler syslog-ng@lists.balabit.hu
Wed, 17 Dec 2003 16:26:11 +0100

On Wed, 2003-12-17 at 10:45, Jim Mozley wrote:
> > 
> > 
> > Good eyes.  I am trying to be very specific and only match("^...
> > Passed") which in this case probably works out to:
> > 
> > 	match("[^:]+: \\([^\\)]\\) Passed, ")
> I have to confess I've not needed to match on anything other than a 
> simple word yet in my syslog-ng.conf, but I'm fairly familiar with regex 
> in general. I thought I'd look at this as I need to do a more complex 
> match. The complex matches I use are in swatch and hence perl regex.
> Afraid I don't understand why you are trying to match in the way you 
> are, for instance within the parentheses why not match [-0-9]+ or [-\d]+ 
> if \d is supported?
> > Perhaps we could document exactly what should be quoted?  I mean, why is
> > literal '(' written as '\\(' and not '\\\('?  What charachters need to
> > be quoted?  Exactly what type of regex is supported, I did not manage
> > getting \d working, but that could be because I got quoting wrong (is it
> > \\d)?
> Sorry cannot help with this yet. I tried to find some info on what 
> particular features syslog-ng regex supports and haven't so far. If I 
> come across something I will post it. If there is anyone who can point 
> to this in the doco or man pages please let me know; I haven't found it, 
> haven't come across anything on google or the FAQ and the list archive 
> isn't searchable unless I download the lot!

syslog-ng supports extended regular expressions as provided by the libc.
quoting is required due to a lexer which uses backslash as the escape
operator, thus it needs to be escaped in itself.

so if you wanted to write \d you'd have to write \\d (just like you have
to do it in C)

Since I'm using extended regular expressions '(' and ')' are special
characters used for grouping, if you want literal parens, escape it: \\(
or \\) (again the double backslashes are present because of the lexer)

> > I noticed, that if you send a signal 1 to a running syslog-ng process
> > asking it to load a syslog-ng.conf with syntax error, then the process
> > dies.  Should it just log something and refuse to load the new
> > syslog-ng.conf instead?

syslog-ng should not die in this case, if it does it is a bug. it should
simply fall back to using the previous configuration.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1