[syslog-ng] Rewrite backreference oddity

Patrick Hemmer syslogng at stormcloud9.net
Mon Feb 27 20:17:45 CET 2012


Oh wait! I think I see whats happening.
Change your double quotes to single quotes.
The substitution is changing '172.30.60.' into 'd9550-.example.com'. Not 
adding the match at the end (should be using a '+' instead of a '*' on 
that regex :-P ). The backslash isnt working because its in double 
quotes. The single quotes will make it work.

-Patrick

Sent: Mon Feb 27 2012 14:15:24 GMT-0500 (EST)
From: Patrick Hemmer <syslogng at stormcloud9.net>
To: Ti Leggett <leggett at mcs.anl.gov> Syslog-ng users' and developers' 
mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Rewrite backreference oddity
> Oh, I didnt notice that it was at the end of the string, I just saw the
> empty spot. DOH!
> Sorry :-)
> Smells like a bug to me.
>
> -Patrick
>
> Sent: Mon Feb 27 2012 14:11:14 GMT-0500 (EST)
> From: Ti Leggett<leggett at mcs.anl.gov>
> To: Patrick Hemmer<syslogng at stormcloud9.net>  Syslog-ng users' and
> developers' mailing list<syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] Rewrite backreference oddity
>> Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me.
>>
>> On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
>>
>>> Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST)
>>> From: Ti Leggett<leggett at mcs.anl.gov>
>>> To: syslog-ng at lists.balabit.hu
>>> Subject: [syslog-ng] Rewrite backreference oddity
>>>> I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
>>>>
>>>> rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
>>>>
>>>>
>>>> For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng:
>>> You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
>>>
>>> Also try using `flags(store-matches)`
>>>
>>> -Patrick
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>


More information about the syslog-ng mailing list