[syslog-ng] pcre matches

Balazs Scheidler bazsi at balabit.hu
Sat Mar 6 10:21:19 CET 2010


Hi,

Many thanks for reporting this, I'm sometimes blind for stuff that makes
syslog-ng difficult to use, but improving these cases will certainly
make the life easier for others.

On Fri, 2010-03-05 at 17:42 -0700, Patrick H. wrote:
> After messing around with this for several days, I found the problems.
> 1) you can not use lowercase letters in the match name
> 2) there are reserved words where if you try to use it as the match
> name, it dorks everything up (like MSGID). This one had me ripping out
> my hair and pounding my head on the desk.

when using a template, the '$' syntax prefers built-in macros over
name-value pairs. this is for compatibility reasons.

> 
> Sent: Thursday, March 04, 2010 3:23:59 PM
> From: Patrick H. <syslogng at feystorm.net>
> To: syslog-ng at lists.balabit.hu 
> Subject: [syslog-ng] pcre matches 
> > How do you use pcre named pattern matches with store-matches?
> > I've been trying to do things like
> > message("IP: (?<ip>\S+)" flags(store-matches) type("pcre"))
> > and then insert into a database with things like 
> > values("$ip") or values("$+{ip}")
> > and nothing works.
> > I cant seem to find any examples of usage through google either.
> > 
> > ____________________________________________________________________
hmm.. you are right about the uppercase letters, although it dates back
to when syslog-ng didn't have user-nameable Name-Value pairs.

The brace syntax should work with either case though:

${ip} should work even with the current code. I don't know what you mean
with $+{ip} though.

I've committed this patch to allow non-capital letters in the non-braced
syntax:

commit 3bb6aee1a7448d9ec5e5436e7868fb62b1086a01
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Sat Mar 6 10:19:26 2010 +0100

    accept lower case letters as macro name even when not using braces
    
    To access all name-value pairs, the syntax ${macro_or_value} is preferred,
    especially if the value name contains a '.' character.
    
    However the old syntax $macro_or_value could also accept lower case
    letters, which it didn't without this patch.
    
    Reported-By: Patrick H.


-- 
Bazsi




More information about the syslog-ng mailing list