Types and options of regular expressions
By default, syslog-ng uses PCRE-style regular expressions. To use other expression types, add the type() option after the regular expression.
The syslog-ng OSE application supports the following expression types:
pcre
Description: Use Perl Compatible Regular Expressions (PCRE). If the type() parameter is not specified, syslog-ng uses PCRE regular expressions by default.
PCRE regular expressions have the following flag options:
global:
Usable only in rewrite rules: match for every occurrence of the expression, not only the first one.
store-matches:
Store the matches of the regular expression into the $0, ... $255 variables. The $0 stores the entire match, $1 is the first group of the match (parentheses), and so on. Named matches (also called named subpatterns), for example (?<name>...), are stored as well. Matches from the last filter expression can be referenced in regular expressions.
unicode:
Use Unicode support for UTF-8 matches: UTF-8 character sequences are handled as single characters.
string
Description: Match the strings literally, without regular expression support. By default, only identical strings are matched. For partial matches, use the flags("prefix") or the flags("substring") flags.
glob
Description: Match the strings against a pattern containing '*' and '?' wildcards, without regular expression and character range support. The advantage of glob patterns to regular expressions is that globs can be processed much faster.
- *
-
matches an arbitrary string, including an empty string
- ?
-
matches an arbitrary character
|
|
NOTE:
|
Optimizing regular expressions
The host(), match(), and program() filter functions and some other syslog-ng objects accept regular expressions as parameters. But evaluating general regular expressions puts a high load on the CPU, which can cause problems when the message traffic is very high. Often the regular expression can be replaced with simple filter functions and logical operators. Using simple filters and logical operators, the same effect can be achieved at a much lower CPU load.
Example: Optimizing regular expressions in filters
Suppose you need a filter that matches the following error message logged by the xntpd NTP daemon:
xntpd[1567]: time error -1159.777379 is too large (set clock manually);
The following filter uses regular expressions and matches every instance and variant of this message.
filter f_demo_regexp {
program("demo_program") and
match("time error .* is too large .* set clock manually");
};
Segmenting the match() part of this filter into separate match() functions greatly improves the performance of the filter.
filter f_demo_optimized_regexp {
program("demo_program") and
match("time error") and
match("is too large") and
match("set clock manually");
};parser: Parse and segment structured messages
The filters and default macros of syslog-ng work well on the headers and metainformation of the log messages, but are rather limited when processing the content of the messages. Parsers can segment the content of the messages into name-value pairs, and these names can be used as user-defined macros. Subsequent filtering or other type of processing of the message can use these custom macros to refer to parts of the message. Parsers are global objects most often used together with filters and rewrite rules.
The syslog-ng OSE application provides the following possibilities to parse the messages, or parts of the messages:
-
By default, syslog-ng OSE parses every message as a syslog message. To disable message parsing, use the flags(no-parse) option of the source. To explicitly parse a message as a syslog message, use the syslog parser. For details, see Parsing syslog messages.
-
To segment a message into columns using a CSV-parser, see Parsing messages with comma-separated and similar values.
-
To segment a message consisting of whitespace or comma-separated key=value pairs (for example, Postfix log messages), see Parsing key=value pairs.
-
To parse JSON-formatted messages, see The JSON parser The JSON parser.
-
To parse XML-formatted messages, see The XML parser.
-
To parse a specially-formatted date or timestamp, see Parsing dates and timestamps.
-
To write a custom parser in Python, see The Python Parser.
-
To identify and parse the messages using a pattern database, see db-parser: Process message content with a pattern database (patterndb).
The syslog-ng OSE application provides built-in parsers for the following application logs:
-
Apache HTTP server access logs. For details, see The Apache Access Log Parser.
-
Cisco devices. For details, see The Cisco Parser.
-
Linux Audit (auditd) logs. For details, see The Linux Audit Parser.
-
osquery result logs. For details, see osquery: Collect and parse osquery result logs.
-
SNMP traps of the Net-SNMP's snmptrapd application. For details, see snmptrap: Read Net-SNMP traps.
Parsing syslog messages
By default, syslog-ng OSE parses every message using the syslog-parser as a syslog message, and fills the macros with values of the message. The syslog-parser does not discard messages: the message cannot be parsed as a syslog message, the entire message (including its header) is stored in the $MSG macro. If you do not want to parse the message as a syslog message, use the flags(no-parse) option of the source.
You can also use the syslog-parser to explicitly parse a message, or a part of a message as a syslog message (for example, after rewriting the beginning of a message that does not comply with the syslog standards).
Example: Using junctions
For example, suppose that you have a single network source that receives log messages from different devices, and some devices send messages that are not RFC-compliant (some routers are notorious for that). To solve this problem in earlier versions of syslog-ng OSE, you had to create two different network sources using different IP addresses or ports: one that received the RFC-compliant messages, and one that received the improperly formatted messages (for example, using the flags(no-parse) option). Using junctions this becomes much more simple: you can use a single network source to receive every message, then use a junction and two channels. The first channel processes the RFC-compliant messages, the second everything else. At the end, every message is stored in a single file. The filters used in the example can be host() filters (if you have a list of the IP addresses of the devices sending non-compliant messages), but that depends on your environment.
log {
source {
syslog(
ip(10.1.2.3)
transport("tcp")
flags(no-parse)
);
};
junction {
channel {
filter(f_compliant_hosts);
parser {
syslog-parser();
};
};
channel {
filter(f_noncompliant_hosts);
};
};
destination {
file("/var/log/messages");
};
};
Since every channel receives every message that reaches the junction, use the flags(final) option in the channels to avoid the unnecessary processing the messages multiple times:
log {
source {
syslog(
ip(10.1.2.3)
transport("tcp")
flags(no-parse)
);
};
junction {
channel {
filter(f_compliant_hosts);
parser {
syslog-parser();
};
flags(final);
};
channel {
filter(f_noncompliant_hosts);
flags(final);
};
};
destination {
file("/var/log/messages");
};
};
Note that syslog-ng OSE has several parsers that you can use to parse non-compliant messages. You can even write a custom syslog-ng parser in Python. For details, see parser: Parse and segment structured messages.
Note that by default, the syslog-parser attempts to parse the message as an RFC3164-formatted (BSD-syslog) message. To parse the message as an RFC5424-formatted message, use the flags(syslog-protocol) option in the parser.
syslog-parser(flags(syslog-protocol));