[syslog-ng] problem with matching IP address and \d regex operand

Phil.Newlon at wendysarbys.com Phil.Newlon at wendysarbys.com
Fri Oct 30 14:59:44 CET 2009 

The netmask() filter won't work for me because I have forwarding devices
between the originating devices and the syslog-ng server.

[9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers]
-> [1 syslog-ng server]
-> [4 RSA Envision collectors]

netmask() sees the eight kiwi servers, not the originating device.  I need
to distribute the 9000 originating devices across the four RSA devices, so
the only way I can see to do that is with a match(IP regex).

Thanks,

Phil



|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Robert Fekete <frobert at balabit.com>                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>                                                                        |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |10/30/2009 06:21 AM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Re: [syslog-ng] problem with matching IP address and \d regex     operand                                                                         |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|





Hi,

I don't know much about regexps, but couldn't you cover this with the
netmask()
filter?

Regards,

Robert

Phil.Newlon at wendysarbys.com wrote:

>
> I am using this regular expression with Kiwi Syslog to distribute
messages
> to several destinations based on the last number of the third octet (0-4
> goes one place, 5-9 goes another).
>
>      "10\.\d+\.\d*[0-4]\."
>
> This doesn't work with syslog-ng, of course, but based on my research of
> the archives, this should do the same thing because I've escaped the "\d"
>
>      match("10\.\\d+\.\\d*[0-4]\.")
>
> Nope, I get nothing.  I've shortened it to just
>
>      match("10\.\\d+")
>
> and still get no matching messages.
>
> This sort of works, but gives some unexpected results:
>
>      match("10\.[0-9]+\.[0-9]*[0-4]\.")
>
> The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on
this
> log message.  I didn't expect a match on 10.87.48.4 from it because of
the
> '8' as the last number of the third octet not matching '0-4'
>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
> MSWinEventLog  0       Security        71000   Thu Oct 29 16:31:17 2009
> 538     Security        pos     User    Success Audit   POS0408748
> Logon/Logoff            User Logoff:     User Name: pos     Domain:
> POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3
42921033
>
>
>
> So, I have two questions.....
>
> What's wrong with this:
>
>      match("10\.\\d+\.\\d*[0-4]\.")
>
> And why did this
>    match("10\.[0-9]+\.[0-9]*[0-4]\.")
> match this
>      Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> 10.87.48.4 MSWinEventLog  0       Security        71000   Thu Oct 29
> 16:31:17 2009        538     Security        pos     User    Success
Audit
> POS0408748      Logon/Logoff            User Logoff:     User Name: pos
> Domain:  POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3
> 42921033
>
> Thanks!
>
> Phil
> <span style="font-size:78%;"><span
style="font-family:arial;"><strong>Notice:</strong> This e-mail message and
its attachments are the property of Wendy's/Arby's Group Inc. </span>
> <span style="font-family:arial;">or one of its subsidiaries and may
contain confidential or legally privileged information intended</span>
> <span style="font-family:arial;">solely for the use of the addressee(s).
If you are not an intended recipient, then any use, copying or</span>
> <span style="font-family:arial;">distribution of this message or its
attachments is strictly prohibited. If you received this message in</span>
> <span style="font-family:arial;">error, please notify the sender and
delete this message entirely from your system.</span></span>
>
>
> ------------------------------------------------------------------------
>
>
______________________________________________________________________________

> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>




______________________________________________________________________________

Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html



<span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
<span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
<span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
<span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
<span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/587d1a50/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/587d1a50/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/587d1a50/attachment-0001.gif

More information about the syslog-ng mailing list