[syslog-ng] problem with matching IP address and \d regex operand

Martin Holste mcholste at gmail.com
Fri Oct 30 16:35:48 CET 2009 

Granted I haven't used Kiwi in a few years and I'm sure it's much better
than it was (I hear they finally added multi-core support), but if you've
got under 50,000 events per second, couldn't you just go

[9000 originating devices] -> [1 syslog-ng server] -> [4 RSA Envision
collectors]

or, if you've really got that many events,

[9000 originating devices] -> [F5 load balancer] -> [2 syslog-ng servers] ->
[4 RSA Envision collectors]

in short, what do you need the Kiwi servers for?  Also, I'm using Cisco
server load balancing (available in many IOS versions) to distribute logs
across multiple Syslog-NG instances, and it works very well for providing
both load balancing and high availability.  That may save you from having to
use the F5 if you're not using it for anything else.

--Martin

On Fri, Oct 30, 2009 at 8:59 AM, <Phil.Newlon at wendysarbys.com> wrote:

>  The netmask() filter won't work for me because I have forwarding devices
> between the originating devices and the syslog-ng server.
>
> [9000 originating devices] -> [F5 load balancer] -> [8 kiwi syslog servers]
> -> [1 syslog-ng server]
>
> -> [4 RSA Envision collectors]
>
> netmask() sees the eight kiwi servers, not the originating device.  I need
> to distribute the 9000 originating devices across the four RSA devices, so
> the only way I can see to do that is with a match(IP regex).
>
> Thanks,
>
> Phil
>
>
> [image: Inactive hide details for Robert Fekete ---10/30/2009 06:21:16
> AM---Hi, I don't know much about regexps, but couldn't you cover]Robert
> Fekete ---10/30/2009 06:21:16 AM---Hi, I don't know much about regexps, but
> couldn't you cover this with the netmask()
>
>
> From:
> Robert Fekete <frobert at balabit.com>
> To:
> Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
> Date:
> 10/30/2009 06:21 AM
> Subject:
> Re: [syslog-ng] problem with matching IP address and \d regex operand
> ------------------------------
>
>
>
> Hi,
>
> I don't know much about regexps, but couldn't you cover this with the
> netmask()
> filter?
>
> Regards,
>
> Robert
>
> Phil.Newlon at wendysarbys.com wrote:
>
> >
> > I am using this regular expression with Kiwi Syslog to distribute
> messages
> > to several destinations based on the last number of the third octet (0-4
> > goes one place, 5-9 goes another).
> >
> >      "10\.\d+\.\d*[0-4]\."
> >
> > This doesn't work with syslog-ng, of course, but based on my research of
> > the archives, this should do the same thing because I've escaped the "\d"
> >
> >      match("10\.\\d+\.\\d*[0-4]\.")
> >
> > Nope, I get nothing.  I've shortened it to just
> >
> >      match("10\.\\d+")
> >
> > and still get no matching messages.
> >
> > This sort of works, but gives some unexpected results:
> >
> >      match("10\.[0-9]+\.[0-9]*[0-4]\.")
> >
> > The match("10\.[0-9]+\.[0-9]*[0-4]\.") statement resulted in 'true' on
> this
> > log message.  I didn't expect a match on 10.87.48.4 from it because of
> the
> > '8' as the last number of the third octet not matching '0-4'
> >
> > Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20 10.87.48.4
> > MSWinEventLog  0       Security        71000   Thu Oct 29 16:31:17 2009
> > 538     Security        pos     User    Success Audit   POS0408748
> > Logon/Logoff            User Logoff:     User Name: pos     Domain:
> > POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3
> 42921033
> >
> >
> >
> > So, I have two questions.....
> >
> > What's wrong with this:
> >
> >      match("10\.\\d+\.\\d*[0-4]\.")
> >
> > And why did this
> >    match("10\.[0-9]+\.[0-9]*[0-4]\.")
> > match this
> >      Oct 29 16:31:20 10.87.48.4 Kiwi_Syslog_Daemon Oct 29 16:31:20
> > 10.87.48.4 MSWinEventLog  0       Security        71000   Thu Oct 29
> > 16:31:17 2009        538     Security        pos     User    Success
> Audit
> > POS0408748      Logon/Logoff            User Logoff:     User Name: pos
> > Domain:  POS0408748     Logon ID:  (0x0,0x4ACB69)     Logon Type: 3
> > 42921033
> >
> > Thanks!
> >
> > Phil
> > <span style="font-size:78%;"><span
> style="font-family:arial;"><strong>Notice:</strong> This e-mail message and
> its attachments are the property of Wendy's/Arby's Group Inc. </span>
> > <span style="font-family:arial;">or one of its subsidiaries and may
> contain confidential or legally privileged information intended</span>
> > <span style="font-family:arial;">solely for the use of the addressee(s).
> If you are not an intended recipient, then any use, copying or</span>
> > <span style="font-family:arial;">distribution of this message or its
> attachments is strictly prohibited. If you received this message in</span>
> > <span style="font-family:arial;">error, please notify the sender and
> delete this message entirely from your system.</span></span>
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
>  *Notice:* This e-mail message and its attachments are the property of Wendy's/Arby's Group Inc.
> or one of its subsidiaries and may contain confidential or legally privileged information intended
> solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or
> distribution of this message or its attachments is strictly prohibited. If you received this message in
> error, please notify the sender and delete this message entirely from your system.
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/61e7e27e/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/61e7e27e/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20091030/61e7e27e/attachment-0001.gif

More information about the syslog-ng mailing list