[syslog-ng] Question about regular expressions
Alexander Clouter
ac56 at soas.ac.uk
Fri Jan 12 11:06:37 CET 2007
Hi,
Phusion <phusion2k at gmail.com> [20070111 12:14:23 -0600]:
>
> I need some help in my config file using regular expressions. This
> filter is for http requests from Apache. I am trying to get this
> filter to catch the following two types of messages.
>
> httpd[....] and /websites/abc/test
> logger: and test.abc.com
>
> I have tried the following.
>
> filter fd_httpd_test.abc.com { match("httpd[\[0-9]+\]") and
> match("/websites/abc/test")
> or match("logger:") and match("test.abc.com"); };
>
> I also tried this.
>
> filter fd_httpd_test.abc.com { match("httpd[\[0-9]+\]*/websites/abc/test")
> or match("logger:*test.abc.com"); };
>
Time to brush up on your regex. There are a bunch of 'special' characters
that need to be escaped (with a backslash '\') if you want to explicitly look
for them.
* '.' means any character
* '/' means, well its hard to explain but its used to make the regex
perform a function
* '[' and ']' are used to say things like "one character for the list
contained within the square brackets. So '[abc]' would say a single
instance of either 'a', 'b' or 'c'
A good starting point would be to have a look at:
http://www.regular-expressions.info/quickstart.html
I'm guessing the following will match:
filter fd_httpd_test.abc.com {
( match("httpd\[[0-9]+\]:") and match("\/websites\/abc\/test") )
and
( match("logger:") and match("test\.abc\.com") );
};
Cheers
Alex
More information about the syslog-ng
mailing list