# syslog-ng match() case sensitive?

## humbletech99

does anybody know if syslog-ng match() is case sensitive and if so how I make it insensitive?

----------

## think4urs11

so we meet again regarding syslog-ng  :Wink: 

according to Balaz (syslog-ng dev): *Quote:*   

> All filters use regexps and are thus case sensitive.

 

----------

## humbletech99

indeed, by guiding light on this subject, thanks for all your help. I'm now left scratching my head with how to make a case insensitive search. From what I have seen, everything from grep to perl to python have their own ways of making the search insensitive....

So how do I do it here?

Also I notice that a filter such as

```
match("(A|a)uthentication (F|f)ailure")
```

does not have the desired effect and the filter doesn't seem to pull out messages with either Authentication Failure or authentication failure or mixed capitals... any idea why?

ps. where did you find a syslog-ng dev? their irc channel at freenode is a graveyard, there are no users in there and nobody speaks or answers anything...

----------

## wynn

Would

```
match("[Aa]uthentication [Ff]ailure")
```

work?

FYI, syslog-ng uses regcomp with flags REG_NOSUB | REG_EXTENDED

The regcomp manpage gives

 *Quote:*   

>        REG_EXTENDED
> 
>               Use POSIX Extended Regular Expression syntax

 and

 *Quote:*   

>        REG_NOSUB
> 
>               Support  for  substring  addressing  of matches is not required.

 

----------

## think4urs11

 *humbletech99 wrote:*   

> Also I notice that a filter such as
> 
> ```
> match("(A|a)uthentication (F|f)ailure")
> ```
> ...

 

without having it actually tested, but shouldn't it be more like

```
match("[Aa]uthentication [Ff]ailure")
```

 *humbletech99 wrote:*   

> ps. where did you find a syslog-ng dev? their irc channel at freenode is a graveyard, there are no users in there and nobody speaks or answers anything...

 

mhhh, just a little bit asking the oracle (aka google)  :Wink: 

just in case you wonder where exactly: https://lists.balabit.hu/pipermail/syslog-ng/2005-December/008289.html

----------

## humbletech99

yeah I wasn't sure if it should be (A|a) or [Aa]. But I'm sure that I've seen things like (choice1|choice2) in regexes before and so I thought this would work. I wasn't sure if this was a bashism or not to do [Aa].

Thanks for the pointer, now I've seen the syslog-ng mailing list perhaps I should get on it...

wynn: how does the regcomp help me here though, like I said I don't know how to switch the flag on, everything seems to have it's own way of doing this and it's not so standardised like the actual regexes themselves...

----------

## wynn

I just thought if "(A|a)" didn't work (and, as you point out, it should) you could get on with your life by changing to "[Aa]"   :Smile: 

Both are (as far as I know) ways of selecting "A" or "a", just that "(A|a)" will cause backtracking while "[Aa]" won't.

There are warnings in the excerpt from the mailing list about using "\\(" for a literal left paren but, equally, "(" is pointed out as used for grouping and is therefore expected (by the dev) to work.

I only added the info about regcomp in case you wanted to find out more about it or about POSIX Extended Regular Expression syntax now you knew that that is what syslog-ng's regexps conform to.

----------

## think4urs11

 *humbletech99 wrote:*   

> yeah I wasn't sure if it should be (A|a) or [Aa]. But I'm sure that I've seen things like (choice1|choice2) in regexes before and so I thought this would work. I wasn't sure if this was a bashism or not to do [Aa].

 

hmm, maybe it would work with '()' too if you escape them like '\\(' and '\\)'

*g* seems as if wynn and i are nearly synced  :Wink: 

----------

## wynn

 *Quote:*   

> maybe it would work with '()' too if you escape them like '\\(' and '\\)'

 but the email from the mailing list says

 *Quote:*   

> Since I'm using extended regular expressions '(' and ')' are special characters used for grouping, if you want literal parens, escape it: \\( or \\) (again the double backslashes are present because of the lexer)

 Doesn't this mean that just plain "(" and ")" are supposed to be recognized as part of the regexp format and not literal characters?

It seems to be just too much work to try out different regexps with syslog-ng or I'd volunteer...

----------

## think4urs11

 *wynn wrote:*   

> Doesn't this mean that just plain "(" and ")" are supposed to be recognized as part of the regexp format and not literal characters?
> 
> It seems to be just too much work to try out different regexps with syslog-ng or I'd volunteer...

 

Not sure either... if i'd need regex i'd use the '[]' syntax anyways.

----------

## humbletech99

ok, I'm using [Aa] and will see how that goes..

but really I need to find a way of doing case insensitive searches. Surely I don't need to recompile with the flag for case insensitive matching? Also, there isn't a use flag for that so it'd have to be a custom compile or a portage overlay job <sigh>.

I think this will be one for the mailing list...

----------

## wynn

'(A|a)' works!

The changes to /etc/syslog-ng/syslog-ng.conf

```
destination testrx   { file("/var/log/testrx.log"); };

filter f_testrx { match("(A|a)uthentication (F|f)ailure"); };

log { source(src); filter(f_testrx); destination(testrx); };
```

The contents of /var/log/testrx

```
Aug  7 19:15:49 lightfoot textrx[12261]: Authentication Failure

Aug  7 19:16:54 lightfoot textrx[12273]: Authentication failure

Aug  7 19:17:01 lightfoot textrx[12274]: authentication failure

Aug  7 19:17:08 lightfoot textrx[12275]: authentication Failure
```

 *Quote:*   

> But really I need to find a way of doing case insensitive searches. Surely I don't need to recompile with the flag for case insensitive matching? 

 Unfortunately regcomp/POSIX regexps don't provide a means of doing case insensitive searches.

A patch to syslog-ng would do it   :Smile: 

----------

## humbletech99

glad to hear it works, I was worried that my regex knowledge was worse than I thought. I'm using [Aa] now and it works, it's better I think since it doesn't store the result of the A or a match.

I was afraid that somebody would say you can't do an insensitive match - that's why I asked on the off chance it was just my lack of knowledge rather than calling it a limitation of the software. It's a real shame, this is such an important aspect of pattern matching that it seems to me to be an extremely bad design decision to not have a way of doing an insensitive match.

I don't really wanna be stuck with things like

```
filter f_test{ match("[Ll][Oo][Gg][Ii][Nn] [Ff][Aa][Ii][Ll][Ee][Dd]"); };
```

when it could have been so much shorter and easier to read....

----------

## think4urs11

just for my couriosity:

do you try to filter on suspicious events?

If yes it might be worth to look onto sys-apps/logwatch

Much easier than to create hundreds of filters.

----------

## humbletech99

I think I remember seeing logwatch, it's a perl script I think that watches text log files. I'm logging to a database, no txt files, so I've added a few security matches for the events I know of which is good enough, it catches stuff really quite well. Also I have windows machines which I'm not sure it would alert me for since they completely different alerts....

----------

## think4urs11

i do both

a) log to a database

b) log to flatfile (daily rotated and deleted after some days)

with that i can have best of both worlds - sql selects and grep/logwatch/alerting by bash-script or mail/whatever

For windows best what you can do is to search/match for event-ids ... the log entries are very chatty as you might already know  :Wink: 

If you like i can PN you a list of (according to my Win admins) useful event-ids tomorrow

----------

## humbletech99

thanks that would be cool.

I used to log to both but I've decided I didn't want to use the space or slow the machine by doing both... perhaps I may reconsider...

----------

