[syslog-ng] Feature Request - patterndb match set

Evan Rempel erempel at uvic.ca
Mon Nov 28 01:25:53 CET 2011 

Thanks Balint

The patch was not quite complete (don't you hate copy and paste!) as it did not reference your new parser. A small fix, and it
worked like a charm. 

Evan.
________________________________________
From: syslog-ng-bounces at lists.balabit.hu [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balint Kovacs [balint.kovacs at balabit.com]
Sent: Sunday, November 27, 2011 9:47 AM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] Feature Request - patterndb match set

Hi Evan,

On 11/27/2011 06:10 AM, Evan Rempel wrote:
> I have come across some odd lines that really can't be matched/parsed by the patterndb
>
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: Module                  Size  Used by
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfs26               1945576  0
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: mmfslinux             326280  1 mmfs26
> 2011-11-25T10:49:21-08:00 mmfs at hermes0022.westgrid.uvic.ca/localhost/hermes0022/xcat2.westgrid.uvic.ca local2.info mmfs: tracedev               67148  2 mmf
>
>
> I would like to match these and parse out the number. The catch is that the number is right justified which means that
> there is a variable number of spaces before the number.
>
> I am open to suggestions about how to make a paterndb pattern to match this and parse the number into a tag/value pair.
>
> Failing that I would propose that a @SET@ parser.
>
> @SET:name:character set@
>
> This will match a sequence of characters that contain any of, and only those characters listed by "character set"
>
> This will allow matches of arbitrary length separators such as spaces or hyphens or other cases that can not yet be
> handled.
>
> Comments?
>
> Evan
This is something I would have needed recently as well, I ran across the
same problem with squid logs and padded usernames. STRING is not okay,
since you can only extend the set of matched chars, not specify them and
it will match the following tokens as well. I never tried to do a parser
before, but it seemed quite easy, so I'm sending a patch in a separate
thread that implements your idea and let's see what Bazsi thinks about it.

Balint

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

More information about the syslog-ng mailing list