[syslog-ng] Feature Request - patterndb match set

Balint Kovacs balint.kovacs at balabit.com
Sun Nov 27 18:47:00 CET 2011


Hi Evan,

On 11/27/2011 06:10 AM, Evan Rempel wrote:
> I have come across some odd lines that really can't be matched/parsed by the patterndb
>
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module                  Size  Used by
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26               1945576  0
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux             326280  1 mmfs26
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev               67148  2 mmf
>
>
> I would like to match these and parse out the number. The catch is that the number is right justified which means that
> there is a variable number of spaces before the number.
>
> I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.
>
> Failing that I would propose that a @SET@ parser.
>
> @SET:name:character set@
>
> This will match a sequence of characters that contain any of, and only those characters listed by "character set"
>
> This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be
> handled.
>
> Comments?
>
> Evan
This is something I would have needed recently as well, I ran across the 
same problem with squid logs and padded usernames. STRING is not okay, 
since you can only extend the set of matched chars, not specify them and 
it will match the following tokens as well. I never tried to do a parser 
before, but it seemed quite easy, so I'm sending a patch in a separate 
thread that implements your idea and let's see what Bazsi thinks about it.

Balint



More information about the syslog-ng mailing list