The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

8.8. Regular expressions

Filters and substitution rewrite rules can use regular expressions. The regular expressions can use up to 255 regexp matches (${1} ... ${255}), but only from the last filter and only if the flags("store-matches") flag was set for the filter. For case-insensitive searches, use the flags("ignore-case") option.

By default, syslog-ng uses POSIX-style regular expressions, but if compiled with the --enable-pcre option, Perl Compatible Regular Expressions can be used as well. To use Perl Compatible Regular Expressions (PCRE), add the type("pcre") option after the regular expression. Note that PCRE expressions can be used only if syslog-ng was explicitly compiled with the --enable-pcre option. Execute the syslog-ng -V command to list the options supported by your binary. PCRE support is currently disabled in syslog-ng Premium Edition.

Posix regular expressions have the following flag options:

Name Description
global Usable only in rewrite rules; match for every occurrence of the expression, not only the first one.
ignore-case Disable case-sensitivity.
store-matches Store the matches of the regular expression into the $1, ... $255 variables. Matches from the last filter expression can be referenced in regular expressions
utf8 Use UTF-8 matching.

Table 8.23. Posix options


[Example] Example 8.39. Using Posix regular expressions 
filter f_message { message("keyword" flags("utf8" "ignore-case") );

PCRE regular expressions have the following flag options:

Name Description
global Usable only in rewrite rules; match for every occurrence of the expression, not only the first one.
ignore-case Disable case-sensitivity.
nobackref Do not store back references for the matches — improves performance.
store-matches Store the matches of the regular expression into the $1, ... $255 variables. Named matches (also called named subpatterns), e.g., (?<name>...), are stored as well. Matches from the last filter expression can be referenced in regular expressions
unicode Use Unicode support for UTF-8 matches: UTF-8 character sequences are handled as single characters.
utf8 An alias for the unicode flag.

Table 8.24. PCRE options


[Example] Example 8.40. Using PCRE regular expressions 
rewrite r_rewrite_subst 
        {subst("a*", "?", field("message") type("pcre") flags("utf8" "global"));  };
Prev  Up  Next
8.7. Rewriting messages  Home | Contents  8.9. Global options

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com