[syslog-ng] Using regexp in match()

[Balazs Scheidler]

On Wed, 2008-07-09 at 14:43 +0200, Jan Kreps wrote:
> Hi All.
> 
> I'm trying to setup central syslog-ng server for my Exchange servers. On windows servers I use Epilog agent (brother of Snare) forwarding tracking logs to central syslog.
> 
> And I want to feed the logs into MySQL. Problem is that event sended by Epilog consists from four fields: Date, System, Type and Strings. But I don't need them. Actual content of tracking log -- some 20 fileds -- is hidden in the String.  So I need to parse the String to obtain the fields I'm interested in.
> 
> According to syslog-ng admin guide:
> 
> The host(), match(), and program() filter functions accept extended regular expressions (also called
> POSIX modern regular expressions) as parameters. The regular expressions can use up to 255 regexp matches
> ($1 ... $255). For case-insensitive searches, start the expression with the (?i) string.
> 
> 
> So I tried regexps to do this, but without success. My idea was to use grouping regexp, which would remmember matches in $1 .. $20 and use these in template section. 
> 
> Say the format is: filed1\011field2\011, so fields in String are separated by '\011'.
> 
> I tried:
> 
> filter f_parse {
>   match("([^\\011]*)\\011([^\\011]*)\\011");
> };
> 
> but when i try use $1 and $2 afterwards in template they seem empty
> 
> 
> Am I completely wrong with this approach, or I missed something?

Is this your last filter? The message remembers the matches of the last
filter only so you have to ensure that this regexp is executed last.

I'll try to do a backport of all the open-sourced features we've
developed for syslog-ng Premium Edition 3.0 to the open source edition.
That has support for 'parsing', e.g. extracting information from
messages into macros. That should be way easier to use than the current
regexp-matches approach. I hope to get it done over the weekend, but
don't hold your breath.

-- 
Bazsi