[syslog-ng] How to use regex in syslog-ng.conf
Lin, Victor
victor.lin at rbc.com
Sat Mar 2 22:28:13 UTC 2019
Thanks a lot Kokan!!!!!
I got the result :-)
One more question
For the following two
%AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.200.210 at pts/0:syslogtest:deleted user victor
%AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.201.173 at pts/0:syslogtest:added user victor
I try to use the following regex to match the text in red color, it shows works.
AAA-6-AAA_ACCOUNTING_MESSAGE: [a-zA-Z0-9]+:[0-9.]+@[a-zA-Z0-9]+\/[a-zA-Z0-9]+:[a-zA-Z0-9]+:[a-zA-Z]+ user
Is there a simple way to math " update:10.94.200.210 at pts/0:syslogtest:"
Thank you very much again‼‼!
VL
-----Original Message-----
From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of syslog-ng-request at lists.balabit.hu
Sent: 2019, March, 01 7:00 AM
To: syslog-ng at lists.balabit.hu
Subject: syslog-ng Digest, Vol 167, Issue 1
Send syslog-ng mailing list submissions to
syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.balabit.hu/mailman/listinfo/syslog-ng
or, via email, send a message with subject or body 'help' to
syslog-ng-request at lists.balabit.hu<mailto:syslog-ng-request at lists.balabit.hu>
You can reach the person managing the list at
syslog-ng-owner at lists.balabit.hu<mailto:syslog-ng-owner at lists.balabit.hu>
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. unofficial syslog-ng 3.20 packages for Debian/Ubuntu
(Laszlo Budai)
2. Re: How to use regex in syslog-ng.conf (Péter)
3. Re: How to use regex in syslog-ng.conf (Fabien Wernli)
----------------------------------------------------------------------
Message: 1
Date: Fri, 1 Mar 2019 10:09:03 +0000
From: Laszlo Budai <laszlo.budai at outlook.com<mailto:laszlo.budai at outlook.com>>
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: [syslog-ng] unofficial syslog-ng 3.20 packages for
Debian/Ubuntu
Message-ID:
<VI1PR0601MB2237CC24E8908466F6ABC1B38E760 at VI1PR0601MB2237.eurprd06.prod.outlook.com<mailto:VI1PR0601MB2237CC24E8908466F6ABC1B38E760 at VI1PR0601MB2237.eurprd06.prod.outlook.com>>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
syslog-ng 3.20.1[1] packages are available in OBS repo[2].
List of supported OSs:
* Debian 8.0
* Debian 9.0 [including armv7l]
* Ubuntu 14.04
* Ubuntu 16.04
* Ubuntu 16.10
* Ubuntu 17.04
* Ubuntu 17.10
* Ubuntu 18.04
* Ubuntu 18.10
Install
-------
example: Debian 9.0
1. get release key
wget -qO - http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debian_9.0/Release.key | sudo apt-key add -
2. add repo to APT sources
eg.: /etc/apt/sources.list.d/syslog-ng-obs.list
deb http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debian_9.0 ./
Then `apt-get update` and `apt-get install syslog-ng-core`
Links
--------
[1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.20.1
[2] https://build.opensuse.org/package/show/home:laszlo_budai:syslog-ng/syslog-ng-3.20
regards,
Laszlo Budai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/2e2934b4/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 1 Mar 2019 11:34:00 +0100
From: Péter, Kókai <peter.kokai at oneidentity.com<mailto:peter.kokai at oneidentity.com>>
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf
Message-ID:
<CABxQCpjDdn3JSwA1btkF7GZGLX_De0qGq+i9GtOcz8JWjhgpzA at mail.gmail.com<mailto:CABxQCpjDdn3JSwA1btkF7GZGLX_De0qGq+i9GtOcz8JWjhgpzA at mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"
Hello,
Based on your example one possible solution could be: match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));
You could also check out the syslog-ng administrator guide, it covers a lot of possibilities:
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/63#TOPIC-1122022
--
Kokan
On Thu, Feb 28, 2019 at 3:50 PM Lin, Victor <victor.lin at rbc.com<mailto:victor.lin at rbc.com>> wrote:
> Dear all,
>
> I am trying to use regex in syslog-ng.conf without success L
>
> Below is from my filter
>
> match("cmd=username toto privilege 15", value("MESSAGE"));
>
> could you please let me know how could I replace username toto with
> regex ? tried /w+ , but didn’t passing through
>
> Thank you very much for your instruction!
>
> VL
>
>
>
>
> ______________________________________________________________________
> _
>
> If you received this email in error, please advise the sender (by
> return email or otherwise) immediately. You have consented to receive
> the attached electronically at the above-noted email address; please
> retain a copy of this confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser
> l'expéditeur immédiatement, par retour de courriel ou par un autre
> moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par
> voie électronique à l'adresse courriel indiquée ci-dessus; veuillez
> conserver une copie de cette confirmation pour les fins de reference future.
>
>
> ______________________________________________________________________
> ________ Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/7921ceb3/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 1 Mar 2019 12:50:50 +0100
From: Fabien Wernli <wernli at in2p3.fr<mailto:wernli at in2p3.fr>>
To: "Syslog-ng users' and developers' mailing list"
<syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf
Message-ID: <20190301115050.hs3d5vjf27a7lwfe at ccfawe.in2p3.fr<mailto:20190301115050.hs3d5vjf27a7lwfe at ccfawe.in2p3.fr>>
Content-Type: text/plain; charset="iso-8859-1"
On Fri, Mar 01, 2019 at 11:34:00AM +0100, Péter, Kókai wrote:
> Hello,
>
> Based on your example one possible solution could be:
> match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));
>
> You could also check out the syslog-ng administrator guide, it covers
> a lot of possibilities:
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-sourc
> e-edition/3.20/administration-guide/63#TOPIC-1122022
also, prefer single quotes over double quotes: will make escaping easier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2801 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/21433a6a/attachment-0001.bin>
------------------------------
Subject: Digest Footer
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu> https://lists.balabit.hu/mailman/listinfo/syslog-ng
------------------------------
End of syslog-ng Digest, Vol 167, Issue 1
*****************************************
_______________________________________________________________________
If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.
Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190302/44bf59e9/attachment-0001.html>
More information about the syslog-ng
mailing list