[syslog-ng] Regexp values in comparison

Tue Mar 29 13:50:18 CEST 2011

On Tue, 2011-03-29 at 12:15 +0200, Roland Kamke wrote:
> Thank you, Robert.
> 
> I guess since I only have syslog-ng OSE 3.0.10-1.rhel5 this regexp comparison stuff won't work anyway - that's a pity.
> I have to use CentOS 5 - do you know some yum repository providing newer OSE versions then 3.0.10-1.rhel5, e. g. OSE 3.3 or 3.2?
> 

Well, with the Open Source stuff, I only compile for a single platform
when doing a release because of my limited time to do releases. 

You are lucky, since the only platform I do release binaries for is
Linux, but not in RPM format, but rather in a self-extracting archive,
that supports a number of different Linux distributions. 

Here's the installer for 3.2.2:

http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.2.2/setups

It'll install in /opt/syslog-ng to avoid interference with
system-installed syslog-ng binaries.

That's all that the syslog-ng project is providing on its own. We do
work with various distributions however to update their packages, and I
know 3.2 is already available in a number of them (openSUSE, Mandriva,
FreeBSD, perhaps others too).

The commercial syslog-ng product (called the Premium Edition), which is
doing releases independently from the open source one, has packages for
RHEL5 (and other 40 UNIX version/CPU combinations), but their latest
release (4.0) is using an older syslog-ng core, thus this new
functionality is not yet available there either. The upcoming PE release
(4.1) which is going to use updated OSE core is expected in Q2 2011, so
quite soon now.

> Regards,
> Roland
> 
> -----Ursprüngliche Nachricht-----
> Von: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] Im Auftrag von Fekete Robert
> Gesendet: Dienstag, 29. März 2011 11:57
> An: Syslog-ng users' and developers' mailing list
> Betreff: Re: [syslog-ng] Regexp values in comparison
> 
> Hi,
> yes, you can do such things in syslog-ng OSE 3.2 and 3.3, but not in earlier 
> versions.
> 
> Check out 
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.2-guide-admin-en.html/filters-comparing.html 
> for details.
> 
> Regards,
> Robert
> 
> On 03/29/2011 10:27 AM, Roland Kamke wrote:
> 
> > A newbie question: Is it possible to use values matching a regular expression in
> > a comparison?
> >
> > Imagine I receive messges like this: "Disk usage is 60%", "Disk usage is 80%",
> > etc. All match the regular expression "Disk usage is [0-9]+%". I do not want to
> > log all these messages, but only those where disk usage is at least 75 per cent.
> > Can this be achieved by proper configuration?
> > Where to look in the documentation?
> >
> > Currently I am stuck with this approch:
> > parser p_disk {
> > csv-parser(columns("fix.disk","fix.usage", "fix.is", "diskusage")
> > delimiters(" %")
> > );
> > };
> > filter f_disk_syntax {
> > message("Disk usage is [0-9]+%");
> > };
> > filter f_disk_usage { "$diskusage" > "75" };
> > log l_mylog {
> > source(...);
> > filter(f_disk_syntax);
> > parser(p_disk);
> > filter(f_disk_usage);
> > destination(...);
> > };
> >
> > Is this a useful approach? Can it be accomplished with fewer definitions?
> > The definition of f_disk_usage results in a syntax error. What would be the
> > right syntax?
> > filter f_disk_usage { "$diskusage" > "75" };
> > filter f_disk_usage { "$diskusage" ge "75" };
> > filter f_disk_usage { value("diskusage") > "75" };
> > filter f_disk_usage { "$diskusage" > 75};
> > filter f_disk_usage { "${diskusage}" > "75" };
> > filter f_disk_usage { ${diskusage} > "75" };
> >
> > Will I need to set up a pattern database to get rid of all unwanted messages?
> >
> > Thank you
> > Roland
> >
> >
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 

-- 
Bazsi