[syslog-ng] problem with matching IP address and \d regex operand

Balazs Scheidler bazsi at balabit.hu
Tue Nov 3 20:06:11 CET 2009 

On Thu, 2009-10-29 at 16:40 -0400, Phil.Newlon at wendysarbys.com wrote:
> I am using this regular expression with Kiwi Syslog to distribute
> messages to several destinations based on the last number of the third
> octet (0-4 goes one place, 5-9 goes another). 
> 
>      "10\.\d+\.\d*[0-4]\." 
> 
> This doesn't work with syslog-ng, of course, but based on my research
> of the archives, this should do the same thing because I've escaped
> the "\d"
> 
> match("10\.\\d+\.\\d*[0-4]\.")
> 
> Nope, I get nothing. I've shortened it to just
> 
> match("10\.\\d+")
> 
> and still get no matching messages.

syslog-ng uses the system regexp lib (on Linux, the one in libc), are
you sure it supports \d ? syslog-ng uses extended regexp, e.g. the
equivalent your egrep command is using. And, for me egrep doesn't
understand \d:

$ echo '10' | egrep '\d+' || echo not found
not found

whereas:

$ echo '10' | egrep '[0-9]+' && echo found
10
found

In the documentation of egrep I've found these named character sets:

"""       Finally,  certain  named  classes  of  characters are predefined within
       bracket expressions, as follows.  Their names are self explanatory, and
       they   are   [:alnum:],  [:alpha:],  [:cntrl:],  [:digit:],  [:graph:],
       [:lower:], [:print:], [:punct:], [:space:], [:upper:], and  [:xdigit:].
       For  example,  [[:alnum:]]  means  [0-9A-Za-z],  except the latter form
       depends upon the C locale and the ASCII character encoding, whereas the
       former  is  independent  of  locale  and character set.  (Note that the
       brackets in these class names are part of the symbolic names, and  must
       be  included  in  addition  to  the  brackets  delimiting  the  bracket
       expression.)  Most meta-characters lose their  special  meaning  inside
       bracket  expressions.   To  include  a  literal ] place it first in the
       list.  Similarly, to include a literal ^ place it anywhere  but  first.
       Finally, to include a literal - place it last.
"""

E.g. you might have wanted to say, instead of \d

$ echo '10' | egrep '[[:digit:]]+' && echo found
10
found

Also, I can see that you tried to escape the dot, right after "10", but
you only used a single escape, which escapes for syslog-ng, but doesn't
embed a backslash for the regexp parser.

This reminds me to an unrelated note, that if you use single quotes in
syslog-ng, you don't need to escape the backslash, e.g.

match("\\.") is equivalent to match('\.')

Another unrelated note is that syslog-ng supports PCRE regular
expressions if you have that compiled in, PCRE supports \d, and you can
use it like this:

match('10\.\d+' type(pcre));

> 
> This sort of works, but gives some unexpected results:
> 
> match("10\.[0-9]+\.[0-9]*[0-4]\.")
> 
> The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on
> this log message. I didn't expect a match on 10.87.48.4 from it
> because of the '8' as the last number of the third octet not matching
> '0-4'
> 
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538
> Security pos User Success Audit POS0408748 Logon/Logoff User Logoff:
> User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type:
> 3 42921033
> 
> 
> 
> So, I have two questions.....
> 
> What's wrong with this:
> 
> match("10\.\\d+\.\\d*[0-4]\.")
> 
> And why did this 
> match("10\.[0-9]+\.[0-9]*[0-4]\.")
> match this 
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009 538
> Security pos User Success Audit POS0408748 Logon/Logoff User Logoff:
> User Name: pos Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type:
> 3 42921033
> 
> Thanks!
> 
> Phil 
> 
> Notice: This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. 
> or one of its subsidiaries and may contain confidential or legally privileged information intended
> solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or
> distribution of this message or its attachments is strictly prohibited. If you received this message in
> error, please notify the sender and delete this message entirely from your system.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
-- 
Bazsi

More information about the syslog-ng mailing list