Re: Configurable Matches

It seems as if your regex matches entire lines really - is that to say Shorewall loglines are mixed into log files, along with various other output?

You can certainly set up the content to be matched using a variable from an external file, but first it might be really useful to get the logs in order carefully.

If they are mixed logs, it's much more (needless) work.. better separate them out - e.g. each virtual site has its own logs, iptables logs to one file, auth events to another, etc etc

Sorry if I misunderstood what you're trying to acheive..

Comment on Re: Configurable Matches

Replies are listed 'Best First'.
Re^2: Configurable Matches by jdhawke (Acolyte) on Jun 03, 2004 at 04:34 UTC
No problem, yes I am matching entire lines from my syslog, but am using the capturing parens to pull out a synopsis of the data. So instead of: `Jun 2 03:09:40 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT= +MAC=00:50:04:70:8c:ba:00:01:96:0d:03:70:08:00 SRC=211.199.195.208 DST +=24.xx.xx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=97 ID=35909 DF PROTO=TCP +SPT=3568 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0` [download] I will have this: `IP Proto Sport Dport Count 211.199.195.208 TCP 3568 1025 1` [download] And like I said, this is more for me to learn perl than any other reason. :)	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: Configurable Matches
by jdhawke (Acolyte) on Jun 03, 2004 at 04:34 UTC

Jun  2 03:09:40 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
+MAC=00:50:04:70:8c:ba:00:01:96:0d:03:70:08:00 SRC=211.199.195.208 DST
+=24.xx.xx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=97 ID=35909 DF PROTO=TCP 
+SPT=3568 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
[download]

IP               Proto  Sport  Dport  Count
211.199.195.208  TCP    3568   1025   1
[download]

[reply]
[d/l]
[select]