[syslog-ng] escaping \[ not respected

Christopher Cashell ChristopherCashell at solutionary.com
Wed Oct 1 17:35:59 CEST 2008 

I think you've nailed it here.  My understanding is that Syslog-NG does
it's own backslash escaping before passing the string to the regex
engine which then does the regex backslash escaping.  That means you
need to double your backslash in those cases.

I've also found this to be the case for periods and carrots.  If you do
'\.' it will still match any character as syslog-ng strips the first
backslash before passing through the regex.  To match a real period you
need to do '\\.' (same with '\^', to match a real carrot you need '\\^').

I don't remember if, or how well, this is documented.  I know it kicked
my butt pretty good until I figured out that I needed to backslash
escape the backslash escape in a regex, though.  Specifically, when
using single escaped periods, I was getting bitten with IP address
regex's that were inexplicably matching things they shouldn't be.

-- 
Christopher Cashell

Fegan, Joe did thus speak on 10/1/2008 10:23 AM:
> Maybe you need to quote the \ to pass it through to lower layers. Just a thought. Try this:
> 
> filter f_conn_from_unk_private {
>   not match("unknown\\\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)");
> };
> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Len Conrad
> Sent: 01 October 2008 13:57
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] escaping \[ not respected
> 
> 
>> Hello,
>>
>>> targeted string is "unknown[a.b.c.d]"
>>>
>>> my filter:
>>>
>>> filter f_conn_from_unk_private { not match
>>> ("unknown\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
>>>
>>> error:
>>>
>>> Error compiling regular expression;
>>> re='[(10.1.|10.2.|10.10.5.|192.168.200)', error='brackets ([
>> ]) not balanced'
>>
>> I can't confirm this behaviour, as the following does work for me:
>>
>> filter f_internal_statistics {
>>    match("^syslog-ng\[[[:digit:]]+.: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics");
>> };
>>
>> What syslog-ng version are you using? Mine is 2.0.9
> 
> Installed with FreeBSD pkg_add from freshports.org, pkg_info shows:
> 
> "syslog-ng2-2.0.9_1  A powerful syslogd replacement"
> 
> I conclude that I've found a bug in the parsing of the escape sequence "\[" ,  and will look for a work around.
> 
> 
> thanks,
> Len
> 
> 
> 
> ______________________________________________
> IMGate OpenSource Mail Firewall www.IMGate.net
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list