[syslog-ng] problem with matching IP address and \d regex operand

Phil.Newlon at wendysarbys.com Phil.Newlon at wendysarbys.com
Thu Oct 29 21:40:29 CET 2009 


I am using this regular expression with Kiwi Syslog to distribute messages
to several destinations based on the last number of the third octet (0-4
goes one place, 5-9 goes another).

     "10\.\d+\.\d*[0-4]\."

This doesn't work with syslog-ng, of course, but based on my research of
the archives, this should do the same thing because I've escaped the "\d"

     match("10\.\\d+\.\\d*[0-4]\.")

Nope, I get nothing.  I've shortened it to just

     match("10\.\\d+")

and still get no matching messages.

This sort of works, but gives some unexpected results:

     match("10\.[0-9]+\.[0-9]*[0-4]\.")

The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on this
log message.  I didn't expect a match on 10.87.48.4 from it because of the
'8' as the last number of the third octet not matching '0-4'

Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
MSWinEventLog  0       Security        71000   Thu Oct 29 16:31:17 2009
538     Security        pos     User    Success Audit   POS0408748
Logon/Logoff            User Logoff:     User Name: pos     Domain:
POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3         42921033



So, I have two questions.....

What's wrong with this:

     match("10\.\\d+\.\\d*[0-4]\.")

And why did this
   match("10\.[0-9]+\.[0-9]*[0-4]\.")
match this
     Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
10.87.48.4 MSWinEventLog  0       Security        71000   Thu Oct 29
16:31:17 2009        538     Security        pos     User    Success Audit
POS0408748      Logon/Logoff            User Logoff:     User Name: pos
Domain:  POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3
42921033

Thanks!

Phil
<span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
<span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
<span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
<span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
<span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091029/e496d6cf/attachment.htm

More information about the syslog-ng mailing list