[syslog-ng] Regex Irregularities

Nagy, Gábor gabor.nagy at oneidentity.com
Wed Feb 13 12:16:46 UTC 2019


Hi Max!

The whitespace rule in the timestamp field comes from the old BSD syslog
format, it is described in the RFC too:
https://tools.ietf.org/html/rfc3164#section-4.1.2

"The TIMESTAMP field is the local time and is in the format of "Mmm dd
 hh:mm:ss" "
" If the day of the month is less than 10, then it MUST be represented as a
space and then the number. For example, the 7th day of August would be
represented as "Aug  7", with two spaces between the "g" and the "7".

Regards,
Gabor

On Fri, Feb 8, 2019 at 5:33 PM N. Max Pierson <nmaxpierson at gmail.com> wrote:

> Hi Even,
>
> Yes I am using single quotes on this pattern. I added \s+ and that seems
> to resolve my issue. Looks like if it's a date in the 1-9 range it uses 2
> spaces instead of one even though it doesn't seem to display it when I
> match on just a single \s. Strange but I think I have what I need so that
> this regex doesn't break when the days change from single days to double
> digit days.
>
> Thanks!
>
> Regards,
> Max
>
> On Fri, Feb 8, 2019 at 10:24 AM Evan Rempel <erempel at uvic.ca> wrote:
>
>> When using regular expressions that include the \ character (and perhaps
>> others) they need to be in single quotes, not double quotes.
>>
>> Also, the dates of the form  Feb 8 10:11:54" often have a leading space
>> on the day, so that your regex really needs to be '^\w+\s+\d+' to match both
>> Feb  9 10:11:54
>> Feb 19 10:11:54
>>
>> Not sure if that was your case, but it is a safer regex to cover such
>> cases.
>>
>> I cant speak to why the space gets eaten in your '8 09:55:54 CST: '
>> example.
>>
>> Evan.
>>
>> On 2/8/19 8:18 AM, N. Max Pierson wrote:
>>
>> Hi List,
>>
>> I am having some weird issues with rewrite regex that I cannot explain. I
>> am simply trying to filter out the first part of the message which has the
>> date in this format.
>>
>> Feb 8 09:13:32 CST:  (there is one space at the end)
>>
>>  When I use the following syntax, it doesn't match as expected.
>>
>> ^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s
>>
>> I know this is the correct pattern because it works just fine on
>> www.regexpal.com. I did some further testing and I have narrowed it down
>> to the below ...
>>
>> ^\w+
>> 8 09:55:54 CST:  (this seemed to also remove the space behind the month)
>>
>> ^\w+\s
>> 8 09:59:37 CST:  (notice this is the exact same as the above without the
>> beginning space)
>>
>> ^\w+\s\d+
>> Feb 8 10:07:04 CST:  (doesn't match anything as though the space between
>> Feb and 8 isn't there)
>>
>> ^\w+\d+
>> Feb 8 10:11:54 CST:  (again doesn't match anything as though there is a
>> space between Feb and 8)
>>
>> So it seems to be something either with \w word class or the + quantifier
>> and it somehow eats the space behind it possibly?? I am running 3.19.1 on
>> Centos 7.
>>
>> Can anyone test this to confirm it isn't just local to my install for
>> whatever reason?
>>
>> Regards,
>> Max
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190213/493cbb6d/attachment.html>


More information about the syslog-ng mailing list