[syslog-ng] Rewriting Cisco messages

[Martin Holste]

I spent some time yesterday working out the proper regexes to handle
the many ways Cisco sends its timestamps, depending on how the device
is configured.  However, I feel like my solution can be improved upon,
so I'd like to see if there's a better way.  Here's what I've got so
far that seems to be working, though there seems to be a 10-15% CPU
penalty at the moment:

#4w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/15, changed state to down
#1y46w: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered
on GigabitEthernet0/1 (1), with S-COR-02 GigabitEthernet2/15 (40).
filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]:
(%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")
flags("store-matches" "nobackref")); };

#Feb  6 16:43:32.219: %LINK-3-UPDOWN: Interface FastEthernet2/0/42,
changed state to up
filter f_rewrite_cisco_program_2 {
match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:
[A-Z]{3})?: (%[^:]+): ([^\n]+)'
 value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };

# Others where MSGONLY starts with PROGRAM
filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+):
([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches"
"nobackref")); };

rewrite r_cisco_program {
        set("$1", value("PROGRAM")
condition(filter(f_rewrite_cisco_program) or
filter(f_rewrite_cisco_program_2) or
filter(f_rewrite_cisco_program_3)));
        set("$2", value("MESSAGE")
condition(filter(f_rewrite_cisco_program) or
filter(f_rewrite_cisco_program_2) or
filter(f_rewrite_cisco_program_3)));
};

This works, but is there a better way?