[syslog-ng] Using regexp in match()
Jan Kreps
krepsj at seznam.cz
Wed Jul 9 14:43:55 CEST 2008
Hi All.
I'm trying to setup central syslog-ng server for my Exchange servers. On windows servers I use Epilog agent (brother of Snare) forwarding tracking logs to central syslog.
And I want to feed the logs into MySQL. Problem is that event sended by Epilog consists from four fields: Date, System, Type and Strings. But I don't need them. Actual content of tracking log -- some 20 fileds -- is hidden in the String. So I need to parse the String to obtain the fields I'm interested in.
According to syslog-ng admin guide:
The host(), match(), and program() filter functions accept extended regular expressions (also called
POSIX modern regular expressions) as parameters. The regular expressions can use up to 255 regexp matches
($1 ... $255). For case-insensitive searches, start the expression with the (?i) string.
So I tried regexps to do this, but without success. My idea was to use grouping regexp, which would remmember matches in $1 .. $20 and use these in template section.
Say the format is: filed1\011field2\011, so fields in String are separated by '\011'.
I tried:
filter f_parse {
match("([^\\011]*)\\011([^\\011]*)\\011");
};
but when i try use $1 and $2 afterwards in template they seem empty
Am I completely wrong with this approach, or I missed something?
Thanks in advance
Jan
More information about the syslog-ng
mailing list