[syslog-ng] Using regexp in match()

Balazs Scheidler bazsi at balabit.hu
Thu Jul 24 10:16:27 CEST 2008 

On Tue, 2008-07-22 at 09:45 +0200, Jan Kreps wrote:
> > ------------ Původní zpráva ------------
> > Od: Jan Kreps <krepsj at seznam.cz>
> > Předmět: Re: [syslog-ng] Using regexp in match()
> > Datum: 10.7.2008 10:29:35
> > ----------------------------------------
> > 
> > > > I'm trying to setup central syslog-ng server for my Exchange servers. On
> > > windows servers I use Epilog agent (brother of Snare) forwarding tracking
> > > logs to central syslog.
> 
> > Obviously I have used bad regexp. Exchange tracking log uses tabs as delimiters.
> > But when I saved $MSG string to text log, tabs was changed to '\011'. 
> > 
> > So now I changed my regexp to use tabs as delimiters:
> > 
> > filter f_parsing {
> >   match("([^\t]*)\t([^\t]*)\t");
> > }; 
> > 
> > This works like charm and saves first two tab delimited fields (date and time in
> > this case) to $1 and $2.
> > 
> 
> Some more remarks to subject. 
> 
> Syslog-ng Administrator guide 1.1.1 Edition from May 2008 says on page 111:
> 
> "The regular expressions can use up to 255 regexp matches ($1 ... $255)."
> 
> and on page 112:
> 
> "Regarding braces around macro names, the following two formats are equivalent "$MSG" and "${MSG}"."
> 
> Fact is that for regexp matches greater than 9 it MUST be in ${} format. If you use for instance $12 it resolves as content of $1 + character '2'. I found that I have to use ${} syntax in ChangeLog remark for patch 137. I guess that should be stated in Admin Guide more clearly. In this respect, statement "The regular expressions can use up to 255 regexp matches ($1 ... $255)" is not true and should be corrected. 
> 

right, this should be fixed in the documentation.

> And I have one question about file creation.
> 
> When something is logged a file is created according to destination(). But when I delete the file, it's not created anymore, until restart of syslog-ng. Is that correct/expected behaviour?
> 
> I run Debian Etch and syslog-ng 2.0.9-1 from unstable branch (in stable is still version 2.0.0)

Yes, you need to send the HUP signal to syslog-ng in order to reopen log
files. This is the way UNIX works. (the application does not know about
the deletion of a logfile)

-- 
Bazsi

More information about the syslog-ng mailing list