[syslog-ng] Feature Request - patterndb match set

Balazs Scheidler bazsi at balabit.hu
Sun Dec 18 09:57:22 CET 2011 

On Sun, 2011-11-27 at 18:47 +0100, Balint Kovacs wrote:
> Hi Evan,
> 
> On 11/27/2011 06:10 AM, Evan Rempel wrote:
> > I have come across some odd lines that really can't be matched/parsed by the patterndb
> >
> > 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module                  Size  Used by
> > 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26               1945576  0
> > 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux             326280  1 mmfs26
> > 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev               67148  2 mmf
> >
> >
> > I would like to match these and parse out the number. The catch is that the number is right justified which means that
> > there is a variable number of spaces before the number.
> >
> > I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.
> >
> > Failing that I would propose that a @SET@ parser.
> >
> > @SET:name:character set@
> >
> > This will match a sequence of characters that contain any of, and only those characters listed by "character set"
> >
> > This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be
> > handled.
> >
> > Comments?
> >
> > Evan
> This is something I would have needed recently as well, I ran across the 
> same problem with squid logs and padded usernames. STRING is not okay, 
> since you can only extend the set of matched chars, not specify them and 
> it will match the following tokens as well. I never tried to do a parser 
> before, but it seemed quite easy, so I'm sending a patch in a separate 
> thread that implements your idea and let's see what Bazsi thinks about it.
> 

I've applied the @SET@ parser to 3.4 and also wrote a $(strip) template
function to possibly take care of extra whitespace. That can be used in
<value/> tags in the rule this way:

<value name="usracct.name">$(strip ${value.parsed.by.the.pattern})</value>

That's also pushed to 3.4.

-- 
Bazsi

More information about the syslog-ng mailing list