[syslog-ng] Rewrite engine and backreferences
Balazs Scheidler
bazsi at balabit.hu
Sat Aug 14 14:29:41 CEST 2010
On Thu, 2010-08-12 at 08:21 -0600, syslogng at feystorm.net wrote:
> Ya, csv is probably the better way to do that, but to answer your
> original question, it didnt work because you didnt tell it the
> replacement was a pcre regex (it defaults to posix standard regex) and
> posix regex doesnt understand most of the character classes pcre does
> (\S \s \d etc). Change it by specifying 'type(pcre)'.
> You might also need to set the store-matches flag but I'm not sure on
> this. I know its required to access the captures from outside the
> match, but I havent tested to see if its required within a rewrite.
>
> The administrators guide has all this in it and is a tremendously
> helpful resource. Can be found on the balabit web site under
> documentation.
Yes, the "store-matches" flag is needed in case a rewrite rule too.
So it should look like:
rewrite test_columns{subst("(\S+)\s+(\S+)\s+(\S+)\s+(\S+)", "system=$1
action=$2 flags=$3 result=$4", value("MESSAGE") type(pcre)
flags(store-matches));};
But csv-parser should _much_ faster than using regexps, but I'd
appreciate if you could actually post numbers if this is true.
--
Bazsi
More information about the syslog-ng
mailing list