[syslog-ng] regexp and template syntax suggestion
Evan Rempel
erempel at uvic.ca
Thu Mar 1 19:07:31 CET 2007
Using the $1 .. $n syntax for back substitution into the template can be problematic when
multiple filter functions are used.
For example, if I wanted to make a template that used the short hostname and a portion of a message I could use
host(^([^\.]+)\.) and use $1 to get the short hostname
match(bad login from ([^ ]+) ) and use $1 to get the ip address that originated the login.
The final filter would be
filter fail_login { host(^([^\.]+)\.) and match(bad login from ([^ ]+) ); };
To create a template that used both of these, I need to use $1 twice :-(
Suggestion:
allow syntax that specified user definable macro names for expansion.
host("^([^\.]+)\." fullmatch shorthost)
match("bad login from ([^ ]+) " fullmatch ip)
and the filter becomes
filter fail_login { host("^([^\.]+)\." shorthost) and match("bad login from ([^ ]+) " ip); };
and then a template can be written as
template my_template{ template("$ISODATE $HOST $shorthost is being attacked from $ip\n"); template_escape(no)); };
The "fullmatch" is in keeping with the regexp matching syntax of many languages.
An additional concern is that users might attempt to use new macronames that conflict with existing ones, but that
should be easy to handle.
--
Evan Rempel erempel at uvic.ca
Senior Programmer Analyst 250.721.7691
Computing Services
University of Victoria
More information about the syslog-ng
mailing list