[syslog-ng]filter match()

Amodiovalerio Verde syslog-ng@lists.balabit.hu
Fri, 6 Jun 2003 21:45:12 +0200


misunderstanding....my fault...

I'm NOT doing syslog-ng match() but using some C written parser to parse the
messages and fill the database.

I meant I can't use regexec() and regcomp() cause are really slow
functions...

I have NOT to filter against program and messages but SPLIT them....

To summarize :

A number of network appliance write to the syslog servers ( actually there
are 3 in load balancing )

Filters are used in syslog-ng to let the user choose what to collect and
where

If the destination is the db, some parser are used as destination...the get
the message, parse it, split fields also in the message part and fill the
tables

That way the user can have graphs and statistics and query the db.

A fast example...

a lot of messages cames from PIX....so are in the form...(if i remember...)

%PIX-6-303002 Build TCP outbound connection : laddr 1.1.1.1/80 gaddr
2.2.2.2/100 faddr 3.3.3.3/110

what I actually do is let the user choose what kind of messages he wants (
using syslog-ng match() )...

then get the message and parse it to doing specific content management...so
I fill a table with fields :
laddr,lport,gaddr,gport,faddr,fport,proto,outbound/inbound...and so on

I got a big help from syslog-ng cause I pass the message to the parser using
something like $TAG\t$R_DATE\t$SOURCEIP.....but the $MSG part give me not
the message part alone but inclusive of the
program ( and optional pid ) ...

Because it exists a $PROGRAM macro that correctly match the program+pid
part, I was wondering why the $MSG part have to include again it...

Hope to be clear :P sorry but my english is not so good.



Amodiovalerio Verde

----- Original Message -----
From: "Jonas Lundgren" <neonman@copyleft.mine.nu>
To: <syslog-ng@lists.balabit.hu>
Sent: Friday, June 06, 2003 11:34 AM
Subject: Re: [syslog-ng]filter match()


> > Hi all,
> >
> > during some extensive test on syslog-ng, I found something that really
make me difficult to implement some filters.
> >
> > I need to match same EXACT messages, and so I used something like
match("^MATCHTHIS$") in a filter statement...
> >
> > but I find that the match will consider the message starting from the
program name...
> >
> > Is there any way to match JUST the message part without the program one
??? ( the program() just work on the program part of the message, so i
expected that match() will work on the other one... )
> >
> > Thanks in advance
> >
> >
> > Amodiovalerio Verde
> >
> > amodiovalerio.verde@ags-it.com
> > amover@libero.it
> >
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
>
> A regexp won't slow things down.
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>