[syslog-ng] problem with matching IP address and \d regex operand
Martin Holste
mcholste at gmail.com
Fri Oct 30 16:35:48 CET 2009
Granted I haven't used Kiwi in a few years and I'm sure it's much better
than it was (I hear they finally added multi-core support), but if you've
got under 50,000 events per second, couldn't you just go
[9000 originating devices] -> [1 syslog-ng server] -> [4 RSA Envision
collectors]
or, if you've really got that many events,
[9000 originating devices] -> [F5 load balancer] -> [2 syslog-ng servers] ->
[4 RSA Envision collectors]
in short, what do you need the Kiwi servers for? Also, I'm using Cisco
server load balancing (available in many IOS versions) to distribute logs
across multiple Syslog-NG instances, and it works very well for providing
both load balancing and high availability. That may save you from having to
use the F5 if you're not using it for anything else.
--Martin
On Fri, Oct 30, 2009 at 8:59 AM, <Phil.Newlon at wendysarbys.com> wrote:
> The netmask() filter won't work for me because I have forwarding devices
> between the originating devices and the syslog-ng server.
>
> [9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers]
> -> [1 syslog-ng server]
>
> -> [4 RSA Envision collectors]
>
> netmask() sees the eight kiwi servers, not the originating device. I need
> to distribute the 9000 originating devices across the four RSA devices, so
> the only way I can see to do that is with a match(IP regex).
>
> Thanks,
>
> Phil
>
>
> [image: Inactive hide details for Robert Fekete ---10/30/2009 06:21:16
> AM---Hi, I don't know much about regexps, but couldn't you cover]Robert
> Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but
> couldn't you cover this with the netmask()
>
>
> From:
> Robert Fekete <frobert at balabit.com>
> To:
> Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
> Date:
> 10/30/2009 06:21 AM
> Subject:
> Re: [syslog-ng] problem with matching IP address and \d regex operand
> ------------------------------
>
>
>
> Hi,
>
> I don't know much about regexps, but couldn't you cover this with the
> netmask()
> filter?
>
> Regards,
>
> Robert
>
> Phil.Newlon at wendysarbys.com wrote:
>
> >
> > I am using this regular expression with Kiwi Syslog to distribute
> messages
> > to several destinations based on the last number of the third octet (0-4
> > goes one place, 5-9 goes another).
> >
> > "10\.\d+\.\d*[0-4]\."
> >
> > This doesn't work with syslog-ng, of course, but based on my research of
> > the archives, this should do the same thing because I've escaped the "\d"
> >
> > match("10\.\\d+\.\\d*[0-4]\.")
> >
> > Nope, I get nothing. I've shortened it to just
> >
> > match("10\.\\d+")
> >
> > and still get no matching messages.
> >
> > This sort of works, but gives some unexpected results:
> >
> > match("10\.[0-9]+\.[0-9]*[0-4]\.")
> >
> > The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on
> this
> > log message. I didn't expect a match on 10.87.48.4 from it because of
> the
> > '8' as the last number of the third octet not matching '0-4'
> >
> > Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
> > MSWinEventLog 0 Security 71000 Thu Oct 29 16:31:17 2009
> > 538 Security pos User Success Audit POS0408748
> > Logon/Logoff User Logoff: User Name: pos Domain:
> > POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3
> 42921033
> >
> >
> >
> > So, I have two questions.....
> >
> > What's wrong with this:
> >
> > match("10\.\\d+\.\\d*[0-4]\.")
> >
> > And why did this
> > match("10\.[0-9]+\.[0-9]*[0-4]\.")
> > match this
> > Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> > 10.87.48.4 MSWinEventLog 0 Security 71000 Thu Oct 29
> > 16:31:17 2009 538 Security pos User Success
> Audit
> > POS0408748 Logon/Logoff User Logoff: User Name: pos
> > Domain: POS0408748 Logon ID: (0x0,0x4ACB69) Logon Type: 3
> > 42921033
> >
> > Thanks!
> >
> > Phil
> > <span style="font-size:78%;"><span
> style="font-family:arial;"><strong>Notice:</strong> This e-mail message and
> its attachments are the property of Wendy's/Arby's Group Inc. </span>
> > <span style="font-family:arial;">or one of its subsidiaries and may
> contain confidential or legally privileged information intended</span>
> > <span style="font-family:arial;">solely for the use of the addressee(s).
> If you are not an intended recipient, then any use, copying or</span>
> > <span style="font-family:arial;">distribution of this message or its
> attachments is strictly prohibited. If you received this message in</span>
> > <span style="font-family:arial;">error, please notify the sender and
> delete this message entirely from your system.</span></span>
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> *Notice:* This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc.
> or one of its subsidiaries and may contain confidential or legally privileged information intended
> solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or
> distribution of this message or its attachments is strictly prohibited. If you received this message in
> error, please notify the sender and delete this message entirely from your system.
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/61e7e27e/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/61e7e27e/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/61e7e27e/attachment-0001.gif
More information about the syslog-ng
mailing list