[syslog-ng] match(regex) problem
Balazs Scheidler
bazsi at balabit.hu
Mon Dec 19 09:59:04 CET 2005
On Sat, 2005-12-17 at 22:14 +0100, Staszek Pitucha wrote:
> Hello
> I've tried to setup some filters lately (v1.9.7).
> There's a problem with regex character ^. For example I want to filter
> out "Accepted password" and my home ip from sshd logs, so I setup:
>
> filter f_sshd {
> (program("sshd") and not (
> (match("Accepted password") and match("from 123\.456\.789\.012")) or
> // other rules
> )) or
> not program("sshd");
> };
>
> Works ok, but I want to filter only messages starting with "Accepted
> password", but "^Accepted password" doesn't work.
>
> Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should
> work as a match pattern and it doesn't. (it should match only the "text"
> part of message, am I right?)
No, matches everything starting from the program name.
--
Bazsi
More information about the syslog-ng
mailing list