Discussion:
[syslog-ng] turn off case sensitivity for match regex filter
stucky
2007-04-28 08:52:22 UTC
Permalink
Guys

Playing around with ng 2 and I started looking at the match filter again.
Simple question that I cannot find an answer to anywhere on the net.
How do I turn off case sensitivity for the match target ?
I'd like the following line to match "error' or 'ERROR' or 'Error'

filter logparse { match("error"); };

but of course it only matches 'error' since by default regex is case
sensitive.
Basically I'm trying to emulate 'grep -i'
I guess I could do this :

filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo much
simpler to turn off case sensitivity.

And while we're talking regex. Shouldn't the above line actually read like
this :

filter logparse { match(".+error.+"); }; ?

meaning "anything followed by 'error' followed by anything"
Both appear to work so I assume the first line is interpreted by syslog-ng
like the second line correct ?

Help is appreciated


stucky
Balazs Scheidler
2007-04-28 10:42:06 UTC
Permalink
Post by stucky
Guys
Playing around with ng 2 and I started looking at the match filter again.
Simple question that I cannot find an answer to anywhere on the net.
How do I turn off case sensitivity for the match target ?
I'd like the following line to match "error' or 'ERROR' or 'Error'
filter logparse { match("error"); };
but of course it only matches 'error' since by default regex is case
sensitive.
Basically I'm trying to emulate 'grep -i'
filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo
much simpler to turn off case sensitivity.
Yes, you are right. But it's not currently possible. It should be
however, I'll try to add it in the nearfuture.
Post by stucky
And while we're talking regex. Shouldn't the above line actually read
filter logparse { match(".+error.+"); }; ?
meaning "anything followed by 'error' followed by anything"
Both appear to work so I assume the first line is interpreted by
syslog-ng like the second line correct ?
syslog-ng interprets "match" the same as grep, e.g. it does not care
where the pattern is found. if you want to match the beginning or the
end of line, you need to use explicit ^ and $ characters.
--
Bazsi
stucky
2007-04-28 19:44:04 UTC
Permalink
Baszi

Cool. I'm in the middle of building a new infrastructure and would like to
use this feature. I'm not a programmer but I assume adding this feature
shouldn't be very hard at all right ?
If you had a rough ETA that'd help me.

thx
Post by Balazs Scheidler
Post by stucky
Guys
Playing around with ng 2 and I started looking at the match filter again.
Simple question that I cannot find an answer to anywhere on the net.
How do I turn off case sensitivity for the match target ?
I'd like the following line to match "error' or 'ERROR' or 'Error'
filter logparse { match("error"); };
but of course it only matches 'error' since by default regex is case
sensitive.
Basically I'm trying to emulate 'grep -i'
filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo
much simpler to turn off case sensitivity.
Yes, you are right. But it's not currently possible. It should be
however, I'll try to add it in the nearfuture.
Post by stucky
And while we're talking regex. Shouldn't the above line actually read
filter logparse { match(".+error.+"); }; ?
meaning "anything followed by 'error' followed by anything"
Both appear to work so I assume the first line is interpreted by
syslog-ng like the second line correct ?
syslog-ng interprets "match" the same as grep, e.g. it does not care
where the pattern is found. if you want to match the beginning or the
end of line, you need to use explicit ^ and $ characters.
--
Bazsi
_______________________________________________
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--
stucky
Balazs Scheidler
2007-04-29 17:21:11 UTC
Permalink
Post by stucky
Baszi
Cool. I'm in the middle of building a new infrastructure and would
like to use this feature. I'm not a programmer but I assume adding
this feature shouldn't be very hard at all right ?
If you had a rough ETA that'd help me.
attached patch implements it using perl-like syntax, e.g.:

filter f_case { match('(?i)regexp'); };

It works in all filters that use regexps (e.g. match, host, program,
etc) The regexp must begin with '(?' or otherwise the flag will not be
recognized.

Tomorrow's snapshot should contain it.
stucky
2007-04-30 18:10:57 UTC
Permalink
Thanks very much for the quick fix !
I tried today's snapshot and it seems to work.

regards
Post by Balazs Scheidler
Post by stucky
Baszi
Cool. I'm in the middle of building a new infrastructure and would
like to use this feature. I'm not a programmer but I assume adding
this feature shouldn't be very hard at all right ?
If you had a rough ETA that'd help me.
filter f_case { match('(?i)regexp'); };
It works in all filters that use regexps (e.g. match, host, program,
etc) The regexp must begin with '(?' or otherwise the flag will not be
recognized.
Tomorrow's snapshot should contain it.
Loading...