[syslog-ng] problem with matching IP address and \d regex operand
Phil.Newlon at wendysarbys.com
Phil.Newlon at wendysarbys.com
Fri Oct 30 14:59:44 CET 2009
The netmask() filter won't work for me because I have forwarding devices
between the originating devices and the syslog-ng server.
[9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers]
-> [1 syslog-ng server]
-> [4 RSA Envision collectors]
netmask() sees the eight kiwi servers, not the originating device. I need
to distribute the 9000 originating devices across the four RSA devices, so
the only way I can see to do that is with a match(IP regex).
Thanks,
Phil
|------------>
| From: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|Robert Fekete <frobert at balabit.com> |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu> |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|10/30/2009 06:21 AM |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|Re: [syslog-ng] problem with matching IP address and \d regex operand |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
Hi,
I don't know much about regexps, but couldn't you cover this with the
netmask()
filter?
Regards,
Robert
Phil.Newlon at wendysarbys.com wrote:
>
> I am using this regular expression with Kiwi Syslog to distribute
messages
> to several destinations based on the last number of the third octet (0-4
> goes one place, 5-9 goes another).
>
> "10\.\d+\.\d*[0-4]\."
>
> This doesn't work with syslog-ng, of course, but based on my research of
> the archives, this should do the same thing because I've escaped the "\d"
>
> match("10\.\\d+\.\\d*[0-4]\.")
>
> Nope, I get nothing. I've shortened it to just
>
> match("10\.\\d+")
>
> and still get no matching messages.
>
> This sort of works, but gives some unexpected results:
>
> match("10\.[0-9]+\.[0-9]*[0-4]\.")
>
> The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on
this
> log message. I didn't expect a match on 10.87.48.4 from it because of
the
> '8' as the last number of the third octet not matching '0-4'
>
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
> MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009
> 538 Security pos User Success Audit POS0408748
> Logon/Logoff User Logoff: User Name: pos Domain:
> POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3
42921033
>
>
>
> So, I have two questions.....
>
> What's wrong with this:
>
> match("10\.\\d+\.\\d*[0-4]\.")
>
> And why did this
> match("10\.[0-9]+\.[0-9]*[0-4]\.")
> match this
> Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29
> 16:31:17 2009 538 Security pos User Success
Audit
> POS0408748 Logon/Logoff User Logoff: User Name: pos
> Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3
> 42921033
>
> Thanks!
>
> Phil
> <span style="font-size:78%;"><span
style="font-family:arial;"><strong>Notice:</strong> This e-mail message and
its attachments are the property of Wendy's/Arby's Group Inc. </span>
> <span style="font-family:arial;">or one of its subsidiaries and may
contain confidential or legally privileged information intended</span>
> <span style="font-family:arial;">solely for the use of the addressee(s).
If you are not an intended recipient, then any use, copying or</span>
> <span style="font-family:arial;">distribution of this message or its
attachments is strictly prohibited. If you received this message in</span>
> <span style="font-family:arial;">error, please notify the sender and
delete this message entirely from your system.</span></span>
>
>
> ------------------------------------------------------------------------
>
>
______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
<span style="font-size:78%;"><span style="font-family:arial;"><strong>Notice:</strong> This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc. </span>
<span style="font-family:arial;">or one of its subsidiaries and may contain confidential or legally privileged information intended</span>
<span style="font-family:arial;">solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or</span>
<span style="font-family:arial;">distribution of this message or its attachments is strictly prohibited. If you received this message in</span>
<span style="font-family:arial;">error, please notify the sender and delete this message entirely from your system.</span></span>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/587d1a50/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/587d1a50/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/587d1a50/attachment-0001.gif
More information about the syslog-ng
mailing list