[syslog-ng] problem with matching IP address and \d regex operand
Phil.Newlon at wendysarbys.com
Phil.Newlon at wendysarbys.com
Thu Oct 29 21:40:29 CET 2009
I am using this regular expression with Kiwi Syslog to distribute messages
to several destinations based on the last number of the third octet (0-4
goes one place, 5-9 goes another).
"10\.\d+\.\d*[0-4]\."
This doesn't work with syslog-ng, of course, but based on my research of
the archives, this should do the same thing because I've escaped the "\d"
match("10\.\\d+\.\\d*[0-4]\.")
Nope, I get nothing. I've shortened it to just
match("10\.\\d+")
and still get no matching messages.
This sort of works, but gives some unexpected results:
match("10\.[0-9]+\.[0-9]*[0-4]\.")
The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this
log message. I didn't expect a match on 10.87.48.4 from it because of the
'8' as the last number of the third octet not matching '0-4'
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009
538 Security pos User Success Audit POS0408748
Logon/Logoff User Logoff: User Name: pos Domain:
POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3 42921033
So, I have two questions.....
What's wrong with this:
match("10\.\\d+\.\\d*[0-4]\.")
And why did this
match("10\.[0-9]+\.[0-9]*[0-4]\.")
match this
Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29
16:31:17 2009 538 Security pos User Success Audit
POS0408748 Logon/Logoff User Logoff: User Name: pos
Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3
42921033
Thanks!
Phil
<span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
<span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
<span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
<span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
<span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091029/e496d6cf/attachment.htm
More information about the syslog-ng
mailing list