[syslog-ng] match(regex) problem
Nate Campi
nate at campin.net
Mon Dec 19 23:12:41 CET 2005
On Mon, Dec 19, 2005 at 09:59:04AM +0100, Balazs Scheidler wrote:
> On Sat, 2005-12-17 at 22:14 +0100, Staszek Pitucha wrote:
> > Hello
> > I've tried to setup some filters lately (v1.9.7).
> > There's a problem with regex character ^. For example I want to filter
> > out "Accepted password" and my home ip from sshd logs, so I setup:
> >
> > filter f_sshd {
> > (program("sshd") and not (
> > (match("Accepted password") and match("from 123\.456\.789\.012")) or
> > // other rules
> > )) or
> > not program("sshd");
> > };
> >
> > Works ok, but I want to filter only messages starting with "Accepted
> > password", but "^Accepted password" doesn't work.
> >
> > Yes - I know - don't use ^, so it's faster. Anyway - "^Accepted" should
> > work as a match pattern and it doesn't. (it should match only the "text"
> > part of message, am I right?)
>
> No, matches everything starting from the program name.
This isn't what I've observed in the past, but when I test now with
1.6.8 I see that this catches all the sshd messages:
filter f_ssh_any { match("^sshd"); };
destination d_ssh_any { file("/tmp/ssh_any.log"); };
log { source(src); filter(f_ssh_any); destination(d_ssh_any); };
I remember when developing matches for 1.6.6 or 1.6.7 that the program
name wasn't available when using the match() function. Did this change
recently did I do something wrong back then?
BTW, I've created a new FAQ item to help people with quoting and
escaping in syslog-ng regexes.
http://www.campin.net/syslog-ng/faq.html#escaping
--
Nate
"Humour is the great thing, the saving thing. The minute it crops up,
all our irritations and resentments slip away and a sunny spirit takes
their place" - Samuel Clemens
More information about the syslog-ng
mailing list