[syslog-ng] Using regexp in match()
Jan Kreps
krepsj at seznam.cz
Thu Jul 10 09:48:31 CEST 2008
> > I'm trying to setup central syslog-ng server for my Exchange servers. On
> windows servers I use Epilog agent (brother of Snare) forwarding tracking
> logs to central syslog.
> > Say the format is: filed1\011field2\011, so fields in String are separated
> by '\011'.
> >
> > I tried:
> >
> > filter f_parse {
> > match("([^\\011]*)\\011([^\\011]*)\\011");
> > };
> >
> Is this your last filter? The message remembers the matches of the last
> filter only so you have to ensure that this regexp is executed last.
Thanks for your answer Bazsi.
Finally i got it.
Obviously I have used bad regexp. Exchange tracking log uses tabs as delimiters. But when I saved $MSG string to text log, tabs was changed to '\011'.
So now I changed my regexp to use tabs as delimiters:
filter f_parsing {
match("([^\t]*)\t([^\t]*)\t");
};
This works like charm and saves first two tab delimited fields (date and time in this case) to $1 and $2.
I will wrote some HOWTO when i finish the configuration completely.
Thaks for your time.
Jan
More information about the syslog-ng
mailing list