[syslog-ng] How to use regex in syslog-ng.conf

Péter, Kókai peter.kokai at oneidentity.com
Mon Mar 4 06:26:20 UTC 2019 

Hello,

By simple you mean you want a more compact regular expression ?

Just shortening you could do something like
this: "AAA-6-AAA_ACCOUNTING_MESSAGE: [^@]+@[^:]+:[^:]+:[a-zA-Z]+ user"

But this would match your example fine: "AAA-6-AAA_ACCOUNTING_MESSAGE:
.+:[a-zA-Z]+ user".

Do you have pattern that you do not want to match ? Is there any
description about the message format that you want to match ? As I would
try to build a regex for that instead guessing.

--
Kokan

On Sat, Mar 2, 2019 at 11:28 PM Lin, Victor <victor.lin at rbc.com> wrote:

> Thanks a lot Kokan!!!!!
>
> I got the result :-)
>
> One more question
> For the following two
> %AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.200.210 at pts/0:syslogtest:deleted
> user victor
> %AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.94.201.173 at pts/0:syslogtest:added
> user victor
>
> I try to use the following regex to match the text in red color, it shows
> works.
>
> AAA-6-AAA_ACCOUNTING_MESSAGE:
> [a-zA-Z0-9]+:[0-9.]+@[a-zA-Z0-9]+\/[a-zA-Z0-9]+:[a-zA-Z0-9]+:[a-zA-Z]+ user
>
> Is there a simple way to math  " update:10.94.200.210 at pts/0:syslogtest:"
>
> Thank you very much again‼‼!
>
> VL
>
> -----Original Message-----
> From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu
> <syslog-ng-bounces at lists.balabit.hu>] On Behalf Of
> syslog-ng-request at lists.balabit.hu
> Sent: 2019, March, 01 7:00 AM
> To: syslog-ng at lists.balabit.hu
> Subject: syslog-ng Digest, Vol 167, Issue 1
>
> Send syslog-ng mailing list submissions to
>         syslog-ng at lists.balabit.hu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
>         syslog-ng-request at lists.balabit.hu
>
> You can reach the person managing the list at
>         syslog-ng-owner at lists.balabit.hu
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of syslog-ng digest..."
>
>
> Today's Topics:
>
>    1.  unofficial syslog-ng 3.20 packages for Debian/Ubuntu
>       (Laszlo Budai)
>    2. Re:  How to use regex in syslog-ng.conf (Péter)
>    3. Re:  How to use regex in syslog-ng.conf (Fabien Wernli)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 1 Mar 2019 10:09:03 +0000
> From: Laszlo Budai <laszlo.budai at outlook.com>
> To: Syslog-ng users' and developers' mailing list
>         <syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] unofficial syslog-ng 3.20 packages for
>         Debian/Ubuntu
> Message-ID:
>         <
> VI1PR0601MB2237CC24E8908466F6ABC1B38E760 at VI1PR0601MB2237.eurprd06.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
>
> syslog-ng 3.20.1[1] packages are available in OBS repo[2].
>
> List of supported OSs:
> * Debian 8.0
> * Debian 9.0 [including armv7l]
> * Ubuntu 14.04
> * Ubuntu 16.04
> * Ubuntu 16.10
> * Ubuntu 17.04
> * Ubuntu 17.10
> * Ubuntu 18.04
> * Ubuntu 18.10
>
>
> Install
> -------
>
> example: Debian 9.0
>
> 1. get release key
> wget -qO -
> http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debian_9.0/Release.key
> | sudo apt-key add -
>
> 2. add repo to APT sources
> eg.: /etc/apt/sources.list.d/syslog-ng-obs.list
> deb
> http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/Debian_9.0
> ./
>
> Then `apt-get update` and `apt-get install syslog-ng-core`
>
>
> Links
> --------
> [1] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.20.1
> [2]
> https://build.opensuse.org/package/show/home:laszlo_budai:syslog-ng/syslog-ng-3.20
>
>
> regards,
> Laszlo Budai
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/2e2934b4/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 1 Mar 2019 11:34:00 +0100
> From: Péter, Kókai <peter.kokai at oneidentity.com>
> To: "Syslog-ng users' and developers' mailing list"
>         <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf
> Message-ID:
>         <
> CABxQCpjDdn3JSwA1btkF7GZGLX_De0qGq+i9GtOcz8JWjhgpzA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> Based on your example one possible solution could be: match("cmd=username
> [a-z]+ privilege 15" value("MESSAGE"));
>
> You could also check out the syslog-ng administrator guide, it covers a
> lot of possibilities:
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/63#TOPIC-1122022
>
>
> --
> Kokan
>
> On Thu, Feb 28, 2019 at 3:50 PM Lin, Victor <victor.lin at rbc.com> wrote:
>
> > Dear all,
> >
> > I am trying to use regex in syslog-ng.conf without success L
> >
> > Below is from my filter
> >
> > match("cmd=username toto privilege 15", value("MESSAGE"));
> >
> > could you please let me know how could I replace username toto with
> > regex ? tried /w+  , but didn’t passing through
> >
> > Thank you very much for your instruction!
> >
> > VL
> >
> >
> >
> >
> > ______________________________________________________________________
> > _
> >
> > If you received this email in error, please advise the sender (by
> > return email or otherwise) immediately. You have consented to receive
> > the attached electronically at the above-noted email address; please
> > retain a copy of this confirmation for future reference.
> >
> > Si vous recevez ce courriel par erreur, veuillez en aviser
> > l'expéditeur immédiatement, par retour de courriel ou par un autre
> > moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par
> > voie électronique à l'adresse courriel indiquée ci-dessus; veuillez
> > conserver une copie de cette confirmation pour les fins de reference
> future.
> >
> >
> > ______________________________________________________________________
> > ________ Member info:
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/7921ceb3/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Fri, 1 Mar 2019 12:50:50 +0100
> From: Fabien Wernli <wernli at in2p3.fr>
> To: "Syslog-ng users' and developers' mailing list"
>         <syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] How to use regex in syslog-ng.conf
> Message-ID: <20190301115050.hs3d5vjf27a7lwfe at ccfawe.in2p3.fr>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Fri, Mar 01, 2019 at 11:34:00AM +0100, Péter, Kókai wrote:
> > Hello,
> >
> > Based on your example one possible solution could be:
> > match("cmd=username [a-z]+ privilege 15" value("MESSAGE"));
> >
> > You could also check out the syslog-ng administrator guide, it covers
> > a lot of possibilities:
> > https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-sourc
> > e-edition/3.20/administration-guide/63#TOPIC-1122022
>
> also, prefer single quotes over double quotes: will make escaping easier
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 2801 bytes
> Desc: not available
> URL: <
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190301/21433a6a/attachment-0001.bin
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> ------------------------------
>
> End of syslog-ng Digest, Vol 167, Issue 1
> *****************************************
>
>
> _______________________________________________________________________
>
> If you received this email in error, please advise the sender (by return
> email or otherwise) immediately. You have consented to receive the attached
> electronically at the above-noted email address; please retain a copy of
> this confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur
> immédiatement, par retour de courriel ou par un autre moyen. Vous avez
> accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à
> l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de
> cette confirmation pour les fins de reference future.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190304/26512ab4/attachment-0001.html>

More information about the syslog-ng mailing list