# Syslog-ng - Strip out/replace msgs on any given regexp

## thingy

There is a patch available for syslog-ng, called syslog-ng-anon, which:

 *Quote:*   

> allows you to strip out any given regular expression or all IP addresses from log messages before they are written to disk. The goal is to give the system administrator the means to implement site logging policies by allowing them easy control over exactly what data they retain in their logfiles, regardless of what a particular daemon might think is best.

 

Patch = http://dev.riseup.net/privacy/syslog-ng-anon/

I got the patch working with the current ~x86 version of syslog-ng, 1.6.12-r1 and found a neat way to filter out messages which you don't want appearing in the logs at all.

Note: Filtering out means, they are not written at all, and strip out/replace means that the contents are modified before being written.

Following this post are the two diff files + an overlay ebuild to get it working.

Regarding the neat way to filter out unwanted messages, one undocumented

https://lists.balabit.hu/pipermail/syslog-ng/2005-October/008079.html

way of doing it is to create a destination without specifying a driver.

i.e.

```
destination dl_none { };
```

Now, if you create a filter for anything you don't want, e.g.:

```
filter f_ignoreTHIS { match("my regular expression"); };
```

you can now filter out this via:

```
log { source(s_something); filter(f_ignoreTHIS); destination(dl_none); };
```

Note: You do NOT need the syslog-ng-anon patch to filter out messages using the above. The patch just allows you to replace messages with modified entries. i.e. you could strip out IP addresses etc.

Here's my syslog-ng.conf with as an example:

```

##----------------------------------------------------------------------------

##

## Syslog-ng configuration file

##

##----------------------------------------------------------------------------

##----------------------------------------------------------------------------

#

# Global options

#

##----------------------------------------------------------------------------

options { chain_hostnames(off);

     sync(0);

   };

##----------------------------------------------------------------------------

#

# Sources

#

##----------------------------------------------------------------------------

source s_kernel { file("/proc/kmsg" log_prefix("kernel: ")); };

source s_local { unix-stream("/dev/log"); internal(); };

source s_netUDP { udp(); };

##----------------------------------------------------------------------------

#

# Destinations

#

##----------------------------------------------------------------------------

destination dl_draytek { file("/var/log/draytek.log"); };

destination dl_none { };

destination dl_root { usertty("root"); usertty("jc"); };

destination dl_srclocal { file("/var/log/src_local.log"); };

destination dl_srckernel { file("/var/log/src_kernel.log"); };

destination dl_srcnetUDP { file("/var/log/src_netUDP.log"); };

#

#--- Facility Destinations ---------------------------------------------------

#

destination dl_auth { file("/var/log/auth.log"); };

destination dl_authpriv { file("/var/log/authpriv.log"); };

destination dl_cron { file("/var/log/cron.log"); };

destination dl_daemon { file("/var/log/daemon.log"); };

destination dl_ftp { file("/var/log/ftp.log"); };

destination dl_kern { file("/var/log/kernel.log"); };

destination dl_lpr { file("/var/log/lpr.log"); };

destination dl_mail { file("/var/log/mail.log"); };

destination dl_news { file("/var/log/news.log"); };

destination dl_syslog { file("/var/log/syslog.log"); };

destination dl_user { file("/var/log/user.log"); };

destination dl_uucp { file("/var/log/uucp.log"); };

destination dl_local0 { file("/var/log/local0.log"); };

destination dl_local1 { file("/var/log/local1.log"); };

destination dl_local2 { file("/var/log/local2.log"); };

destination dl_local3 { file("/var/log/local3.log"); };

destination dl_local4 { file("/var/log/local4.log"); };

destination dl_local5 { file("/var/log/local5.log"); };

destination dl_local6 { file("/var/log/local6.log"); };

destination dl_local7 { file("/var/log/local7.log"); };

#

#--- Security Destinations ---------------------------------------------------

#

destination dl_avc { file("/var/log/avc.log"); };

destination dl_audit { file("/var/log/audit.log"); };

destination dl_grsec { file("/var/log/grsec.log"); };

destination dl_pax { file("/var/log/pax.log"); };

##----------------------------------------------------------------------------

#

# Filters

#

##----------------------------------------------------------------------------

filter f_draytek { match("dv2600vg: .*") and not match("dv2600vg: PoE .*"); };

filter f_draytekIGNORE { match("dv2600vg: PoE .*"); };

#

#--- Facility Filters --------------------------------------------------------

#

filter f_auth { facility(auth); };

filter f_authpriv { facility(authpriv); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_ftp { facility(ftp); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_news { facility(news); };

filter f_syslog { facility(syslog); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

filter f_local0 { facility (local0); };

filter f_local1 { facility (local1); };

filter f_local2 { facility (local2); };

filter f_local3 { facility (local3); };

filter f_local4 { facility (local4); };

filter f_local5 { facility (local5); };

filter f_local6 { facility (local6); };

filter f_local7 { facility (local7); };

#

#--- Priority Filters --------------------------------------------------------

#

filter f_alert       { level (alert); };

filter f_crit       { level (crit); };

filter f_debug       { level (debug); };

filter f_emerg       { level (emerg); };

filter f_err       { level (err); };

filter f_info       { level (info); };

filter f_notice    { level (notice); };

filter f_warning   { level (warning); };

#

#--- Security Filters --------------------------------------------------------

#

filter f_avc { match(".*avc: .*"); };

filter f_audit { match("^audit.*") and not match(".*avc: .*"); };

filter f_pax { match("^PAX:.*"); };

filter f_grsec { match("^grsec:.*"); };

##----------------------------------------------------------------------------

#

# Log Paths

#   - Log statements are processed in the order they appear!

#   - For every source, ALWAYS have a fallback destination because if a

#     message doesn't match any of the log statements below, it is dropped.

#     This means you lost some data!

#

##----------------------------------------------------------------------------

# From any source, anything of Emergency priority gets sent to the root/admin

# users

log { source(s_local); source(s_kernel); source(s_netUDP);  filter(f_emerg); destination(dl_root); };

# Kernel messages

log { source(s_kernel); filter(f_avc); destination(dl_avc); };

log { source(s_kernel); filter(f_audit); destination(dl_audit); };

log { source(s_kernel); filter(f_grsec); destination(dl_grsec); };

log { source(s_kernel); filter(f_kern); destination(dl_kern); };

log { source(s_kernel); filter(f_pax); destination(dl_pax); };

# Fallback for any kernel messages that didn't match the above statements.

log { source(s_kernel); destination(dl_srckernel); flags(fallback); };

# Local messages

log { source(s_local); filter(f_auth); destination(dl_auth); };

log { source(s_local); filter(f_authpriv); destination(dl_authpriv); };

log { source(s_local); filter(f_cron); destination(dl_cron); };

log { source(s_local); filter(f_daemon); destination(dl_daemon); };

log { source(s_local); filter(f_ftp); destination(dl_ftp); };

log { source(s_local); filter(f_lpr); destination(dl_lpr); };

log { source(s_local); filter(f_mail); destination(dl_mail); };

log { source(s_local); filter(f_news); destination(dl_news); };

log { source(s_local); filter(f_syslog); destination(dl_syslog); };

log { source(s_local); filter(f_user); destination(dl_user); };

log { source(s_local); filter(f_uucp); destination(dl_uucp); };

log { source(s_local); filter(f_local0); destination(dl_local0); };

log { source(s_local); filter(f_local1); destination(dl_local1); };

log { source(s_local); filter(f_local2); destination(dl_local2); };

log { source(s_local); filter(f_local3); destination(dl_local3); };

log { source(s_local); filter(f_local4); destination(dl_local4); };

log { source(s_local); filter(f_local5); destination(dl_local5); };

log { source(s_local); filter(f_local6); destination(dl_local6); };

# Fallback for any local messages that didn't get matched to the above 

# statements.

log { source(s_local); destination(dl_srclocal); flags(fallback); };

# 1. Always have a firewall rule which restricts what hosts can talk

#    to our syslog-ng process. Currently only my adsl router is allowed

#    to send UDP packets on port 514 to the syslog-ng process.

# 2. The order of the statements below is important. The first statement

#    catches some frequent (and useless) msgs that my stupid router

#    generates. I don't want these in the log file at all and hence

#    they are getting sent to the dl_none destination, which is the equiv

#    of /dev/null.

log { source(s_netUDP); filter(f_draytekIGNORE); destination(dl_none); };

log { source(s_netUDP); filter(f_draytek); destination(dl_draytek); };

# Fallback for any network UDP messages that didn't match the above 

log { source(s_netUDP); destination(dl_srcnetUDP); flags(fallback); };

```

Am posting this to the forum in case it helps someone else out and so that I can refer to it in the future.   :Smile: 

regards

JC

----------

## thingy

syslog-ng-anon.diff

```

diff -uNr doc/Makefile.am doc/Makefile.am

--- doc/Makefile.am   2005-03-04 09:58:08.000000000 -0600

+++ doc/Makefile.am   2005-05-30 18:26:29.986769706 -0500

@@ -4,7 +4,7 @@

 

 EXTRA_DIST = $(man_MANS) stresstest.sh syslog-ng.old.txt   \

    syslog-ng.conf.demo syslog-ng.conf.sample \

-   syslog-ng.conf.solaris 

-

+   syslog-ng.conf.solaris README.syslog-ng-anon \

+   syslog-ng-anon.conf

 

 

diff -uNr doc/Makefile.in doc/Makefile.in

--- doc/Makefile.in   2005-04-09 05:50:58.000000000 -0500

+++ doc/Makefile.in   2005-05-30 18:29:45.194741054 -0500

@@ -116,7 +116,9 @@

 

 EXTRA_DIST = $(man_MANS) stresstest.sh syslog-ng.old.txt   \

    syslog-ng.conf.demo syslog-ng.conf.sample \

-   syslog-ng.conf.solaris 

+   syslog-ng.conf.solaris README.syslog-ng-anon \

+   syslog-ng-anon.conf

+

 

 subdir = doc

 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4

diff -uNr doc/README.syslog-ng-anon doc/README.syslog-ng-anon

--- doc/README.syslog-ng-anon   1969-12-31 18:00:00.000000000 -0600

+++ doc/README.syslog-ng-anon   2005-05-30 18:25:40.828858265 -0500

@@ -0,0 +1,93 @@

+syslog-ng-anon

+

+ This patch adds the capability to syslog-ng that allows you to strip

+ out any given regexp or all IP addresses from log messages before

+ they are written to disk. The goal is to give the system administrator

+ the means to implement site logging policies, by allowing them easy

+ control over exactly what data they retain in their logfiles,

+ regardless of what a particular daemon might think is best.

+

+Background:

+

+ Data retention has become a hot legal topic for ISPs and other Online

+ Service Providers (OSPs). There are many instances where it is preferable

+ to keep less information on users than is collected by default on many

+ systems. In the United States it is not currently required to retain

+ data on users of a server, but you may be required to provide all data

+ on a user which you have retained. OSPs can protect themselves from legal

+ hassles and added work by choosing what data they wish to retain.

+

+ From "Best Practices for Online Service Providers"

+ (http://www.eff.org/osp):

+

+  As an intermediary, the OSP [Online Service Provider] finds itself in

+  a position to collect and store detailed information about its users

+  and their online activities that may be of great interest to third

+  parties. The USA PATRIOT Act also provides the government with

+  expanded powers to request this information. As a result, OSP owners

+  must deal with requests from law enforcement and lawyers to hand over

+  private user information and logs. Yet, compliance with these demands

+  takes away from an OSP's goal of providing users with reliable,

+  secure network services. In this paper, EFF offers some suggestions,

+  both legal and technical, for best practices that balance the needs

+  of OSPs and their users' privacy and civil liberties.

+ 

+  Rather than scrubbing the information you don't want in logs, this patch

+  ensures that the information is never written to disk. Also, for those 

+  daemons which log through syslog facilities, this patch provides a 

+  convenient single configuration to limit what you wish to log.

+  

+  Here are some related links:

+  

+  Best Practices for Online Service Providers

+  http://www.eff.org/osp

+  http://www.eff.org/osp/20040819_OSPBestPractices.pdf

+  

+  EPIC International Data Retention Page

+  http://www.epic.org/privacy/intl/data_retention.html

+  

+  Working Paper on Usage Log Data Management (from Computer, Freedom, and 

+  Privacy conference) http://cryptome.org/usage-logs.htm

+  

+

+Installing syslog-ng-anon 

+  

+ Applying the patch

+

+  This patch has been tested against the following versions of syslog-ng:

+    . version 1.6.7

+    . Debian package syslog-ng_1.6.7-2

+

+

+  To use this patch, obtain the source for syslog-ng 

+  (http://www.balabit.com/downloads/syslog-ng/1.6/src/) and the latest

+  syslog-ng-anon patch (http://dev.riseup.net/patches/syslog-ng/). 

+  Uncompress the syslog-ng source and then apply the patch:

+

+  % tar -zxvf syslog-ng.tar.gz

+  % cd syslog-ng

+  % patch -p1 < syslog-ng-anon.diff

+ 

+  Then compile and install syslog-ng as normal.

+

+ Debian package

+

+  Alternately, you can install syslog-ng-anon from this repository:

+  deb http://deb.riseup.net/debian unstable main

+

+ How to use it

+

+  This patch adds the filter "strip". For example:

+

+    filter f_strip {strip(<regexp>);};

+

+  This will strip out all matches of the regular expression on logs to

+  which the filter is applied and replaces all matches with the fixed length

+  four dashes ("----").

+

+  In place of a regular expression, you can put "ips", which will replace all

+  internet addresses with 0.0.0.0. For example:

+

+    filter f_strip {strip(ips);};

+

+  You can alter what the replacement strings are by using replace:

diff -uNr doc/syslog-ng-anon.conf doc/syslog-ng-anon.conf

--- doc/syslog-ng-anon.conf   1969-12-31 18:00:00.000000000 -0600

+++ doc/syslog-ng-anon.conf   2005-05-30 18:25:40.828858265 -0500

@@ -0,0 +1,243 @@

+#

+# Configuration file for syslog-ng under Debian.

+# Customized for riseup.net using syslog-ng-anon patch

+# (http://dev.riseup.net/patches/syslog-ng/)

+#

+# see http://www.campin.net/syslog-ng/expanded-syslog-ng.conf

+# for examples.

+#

+# levels: emerg alert crit err warning notice info debug

+#

+

+############################################################

+## global options

+

+options {

+    chain_hostnames(0);

+    time_reopen(10);

+    time_reap(360);

+    sync(0);

+    log_fifo_size(2048);

+    create_dirs(yes);

+    group(adm);

+    perm(0640);

+    dir_perm(0755);

+    use_dns(no);

+};

+

+############################################################

+## universal source

+

+source s_all {

+    internal();

+    unix-stream("/dev/log");

+    file("/proc/kmsg" log_prefix("kernel: "));

+};

+

+############################################################

+## generic destinations

+

+destination df_facility_dot_info   { file("/var/log/$FACILITY.info");   };

+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };

+destination df_facility_dot_warn   { file("/var/log/$FACILITY.warn");   };

+destination df_facility_dot_err    { file("/var/log/$FACILITY.err");    };

+destination df_facility_dot_crit   { file("/var/log/$FACILITY.crit");   };

+

+############################################################

+## generic filters

+

+filter f_strip { strip(ips); };

+filter f_at_least_info   { level(info..emerg);   };

+filter f_at_least_notice { level(notice..emerg); };

+filter f_at_least_warn   { level(warn..emerg);   };

+filter f_at_least_err    { level(err..emerg);    };

+filter f_at_least_crit   { level(crit..emerg);   };

+

+############################################################

+## auth.log

+

+filter f_auth { facility(auth, authpriv); };

+destination df_auth { file("/var/log/auth.log"); };

+log {

+    source(s_all);

+    filter(f_auth);

+    destination(df_auth);

+};

+

+############################################################

+## daemon.log

+

+filter f_daemon { facility(daemon); };

+destination df_daemon { file("/var/log/daemon.log"); };

+log {

+    source(s_all);

+    filter(f_daemon);

+    destination(df_daemon);

+};

+

+############################################################

+## kern.log

+

+filter f_kern { facility(kern); };

+destination df_kern { file("/var/log/kern.log"); };

+log {

+    source(s_all);

+    filter(f_kern);

+    destination(df_kern);

+};

+

+############################################################

+## user.log

+

+filter f_user { facility(user); };

+destination df_user { file("/var/log/user.log"); };

+log {

+    source(s_all);

+    filter(f_user);

+    destination(df_user);

+};

+

+############################################################

+## sympa.log

+

+filter f_sympa { program("^(sympa|bounced|archived|task_manager)"); };

+destination d_sympa { file("/var/log/sympa.log"); };

+log {

+   source(s_all);

+   filter(f_sympa);

+   destination(d_sympa);

+   flags(final);

+};

+

+############################################################

+## wwsympa.log

+

+filter f_wwsympa { program("^wwsympa"); };

+destination d_wwsympa { file("/var/log/wwsympa.log"); };

+log {

+   source(s_all);

+   filter(f_wwsympa);

+   filter(f_strip);

+   destination(d_wwsympa);

+   flags(final);

+};

+

+############################################################

+## ldap.log

+

+filter f_ldap { program("slapd"); };

+destination d_ldap { file("/var/log/ldap.log"); };

+log {

+   source(s_all);

+   filter(f_ldap);

+   destination(d_ldap);

+   flags(final);

+};

+

+############################################################

+## postfix.log

+

+# special source because of chroot jail

+#source s_postfix { unix-stream("/var/spool/postfix/dev/log" keep-alive(yes)); }; 

+filter f_postfix { program("^postfix/"); };

+destination d_postfix { file("/var/log/postfix.log"); };

+log {

+   source(s_all);

+   filter(f_postfix);

+   filter(f_strip);

+   destination(d_postfix);

+   flags(final);

+};

+

+############################################################

+## courier.log

+

+filter f_courier { program("courier|imap|pop"); };

+destination d_courier { file("/var/log/courier.log"); };

+log {

+   source(s_all);

+   filter(f_courier);

+   filter(f_strip);

+   destination(d_courier);

+   flags(final);

+};

+

+############################################################

+## maildrop.log

+

+filter f_maildrop { program("^maildrop"); };

+destination d_maildrop { file("/var/log/maildrop.log"); };

+log {

+   source(s_all);

+   filter(f_maildrop);

+   destination(d_courier);

+   flags(final);

+};

+

+############################################################

+## mail.log

+

+filter f_mail { facility(mail); };

+destination df_mail { file("/var/log/mail.log"); };

+

+log {

+    source(s_all);

+    filter(f_mail);

+    destination(df_mail);

+};

+

+############################################################

+## messages.log

+

+filter f_messages {

+   level(debug,info,notice)

+   and not facility(auth,authpriv,daemon,mail,user,kern);

+};

+destination df_messages { file("/var/log/messages.log"); };

+log {

+    source(s_all);

+    filter(f_messages);

+    destination(df_messages);

+};

+

+############################################################

+## errors.log

+

+filter f_errors {

+   level(warn,err,crit,alert,emerg)

+   and not facility(auth,authpriv,daemon,mail,user,kern);

+};

+destination df_errors { file("/var/log/errors.log"); };

+log {

+   source(s_all);

+   filter(f_errors);

+   destination(df_errors);

+};

+

+############################################################

+## emergencies

+

+filter f_emerg { level(emerg); };

+destination du_all { usertty("*"); };

+log {

+   source(s_all);

+   filter(f_emerg);

+   destination(du_all);

+};

+

+############################################################

+## console messages

+

+filter f_xconsole {

+    facility(daemon,mail)

+    or level(debug,info,notice,warn)

+    or (facility(news)

+    and level(crit,err,notice));

+};

+destination dp_xconsole { pipe("/dev/xconsole"); };

+log {

+    source(s_all);

+    filter(f_xconsole);

+    destination(dp_xconsole);

+};

+

diff -uNr src/cfg-grammar.y src/cfg-grammar.y

--- src/cfg-grammar.y   2004-09-17 04:21:06.000000000 -0500

+++ src/cfg-grammar.y   2005-05-30 18:25:40.826858634 -0500

@@ -89,7 +89,7 @@

 %token KW_REMOVE_IF_OLDER KW_LOG_PREFIX KW_PAD_SIZE

 

 /* filter items*/

-%token KW_FACILITY KW_LEVEL KW_NETMASK KW_HOST KW_MATCH

+%token KW_FACILITY KW_LEVEL KW_NETMASK KW_HOST KW_MATCH KW_STRIP KW_REPLACE

 

 /* yes/no switches */

 %token KW_YES KW_NO

@@ -669,6 +669,8 @@

    | KW_NETMASK '(' string ')'             { $$ = make_filter_netmask($3); free($3); }

    | KW_HOST '(' string ')'      { $$ = make_filter_host($3); free($3); }   

    | KW_MATCH '(' string ')'      { $$ = make_filter_match($3); free($3); }

+   | KW_STRIP '(' string ')'      { $$ = make_filter_strip($3); free($3); }

+   | KW_REPLACE '(' string string ')'      { $$ = make_filter_replace($3,$4); free($3); free($4); }

    | KW_FILTER '(' string ')'      { $$ = make_filter_call($3); free($3); }

    ;

 

diff -uNr src/cfg-lex.l src/cfg-lex.l

--- src/cfg-lex.l   2005-05-30 18:27:50.829842715 -0500

+++ src/cfg-lex.l   2005-05-30 18:25:40.827858450 -0500

@@ -140,6 +140,8 @@

    { "netmask",            KW_NETMASK },

         { "host",               KW_HOST },

         { "match",      KW_MATCH },

+        { "strip",      KW_STRIP },

+        { "replace",   KW_REPLACE },

 

    /* on/off switches */

    { "yes",      KW_YES },

diff -uNr src/filters.c src/filters.c

--- src/filters.c   2004-01-13 12:08:02.000000000 -0600

+++ src/filters.c   2005-05-30 18:25:40.827858450 -0500

@@ -163,6 +163,7 @@

      (name filter_expr_re)

      (super filter_expr_node)

      (vars

+       (replace string)

        (regex special-struct regex_t #f free_regexp)))

 */

 

@@ -226,6 +227,78 @@

    return &self->super;

 }

 

+struct filter_expr_node *make_filter_strip(const char *re)

+{

+   if (strcasecmp(re,"ips") == 0)

+      return make_filter_replace(re,"0.0.0.0");

+   else

+      return make_filter_replace(re,"----");

+}

+

+#define FMIN(a,b) (a)<(b) ? (a):(b)

+

+static int do_filter_replace(struct filter_expr_node *c, 

+            struct log_filter *rule UNUSED,

+            struct log_info *log)

+{

+   CAST(filter_expr_re, self, c);

+   char * buffer = log->msg->data;

+   int snippet_size;

+   regmatch_t pmatch;

+   char new_msg[2048];

+   char * new_msg_max = new_msg+2048;

+   char * new_msg_ptr = new_msg;

+   int replace_length = strlen(self->replace->data);

+   

+   int error = regexec(&self->regex, buffer, 1, &pmatch, 0);

+   if (error != 0) return 1;

+   while (error==0) {

+      /* copy string snippet which preceeds matched text */

+      snippet_size = FMIN(pmatch.rm_so, new_msg_max-new_msg_ptr);

+      memcpy(new_msg_ptr, buffer, snippet_size);

+      new_msg_ptr += snippet_size;

+

+      /* copy replacement string */

+      snippet_size = FMIN(replace_length, new_msg_max-new_msg_ptr);

+      memcpy(new_msg_ptr, self->replace->data, snippet_size);

+      new_msg_ptr += snippet_size;

+

+      /* search for next match */

+      buffer += pmatch.rm_eo;

+      error = regexec (&self->regex, buffer, 1, &pmatch, REG_NOTBOL);

+   }

+   /* copy the rest of the old msg */

+   snippet_size = FMIN(strlen(buffer),new_msg_max-new_msg_ptr);

+   memcpy(new_msg_ptr, buffer, snippet_size); 

+   new_msg_ptr += snippet_size;

+

+   ol_string_free(log->msg);

+   log->msg = c_format_cstring("%s", new_msg_ptr-new_msg,new_msg);

+   return 1;

+}

+

+struct filter_expr_node *make_filter_replace(const char *re, const char *replacement)

+{

+   int regerr;

+   NEW(filter_expr_re, self);

+   self->super.eval = do_filter_replace;

+   self->replace = format_cstring(replacement);

+   

+   if (strcasecmp(re,"ips") == 0) {

+      re = "(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])([\\.\\-](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])){3}";

+   }

+   regerr = regcomp(&self->regex, re, REG_ICASE | REG_EXTENDED);

+   if (regerr) {

+      char errorbuf[256];

+      regerror(regerr, &self->regex, errorbuf, sizeof(errorbuf));

+      werror("Error compiling regular expression: \"%z\" (%z)\n", re, errorbuf);

+      KILL(self);

+      return NULL;

+   }

+

+   return &self->super;

+}

+

 static int do_filter_prog(struct filter_expr_node *c, 

            struct log_filter *rule UNUSED,

            struct log_info *log)

diff -uNr src/filters.h src/filters.h

--- src/filters.h   2002-02-04 10:07:50.000000000 -0600

+++ src/filters.h   2005-05-30 18:25:40.827858450 -0500

@@ -66,6 +66,8 @@

 struct filter_expr_node *make_filter_netmask(const char *nm);

 struct filter_expr_node *make_filter_host(const char *re);

 struct filter_expr_node *make_filter_match(const char *re);

+struct filter_expr_node *make_filter_strip(const char *re);

+struct filter_expr_node *make_filter_replace(const char *re, const char *replacement);

 struct filter_expr_node *make_filter_call(const char *name);

 

 #endif

```

----------

## thingy

syslog-ng-anon2.diff

```

--- src/filters.c.x   2006-05-24 10:29:15.000000000 +0100

+++ filters.c.x   2007-04-09 00:40:14.000000000 +0100

@@ -47,6 +47,7 @@

 struct filter_expr_re

 {

   struct filter_expr_node super;

+  struct ol_string *replace;

   regex_t regex;

 };

 extern struct ol_class filter_expr_re_class;

@@ -56,6 +57,7 @@

 static void do_filter_expr_re_free(struct ol_object *o)

 {

   struct filter_expr_re *i = (struct filter_expr_re *) o;

+  ol_string_free(i->replace);

   free_regexp(&(i->regex));

 }

```

----------

## thingy

syslog-ng-1.6.12-r1.ebuild

```

# Copyright 1999-2007 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/syslog-ng-1.6.12-r1.ebuild,v 1.1 2007/03/14 09:56:00 uberlord Exp $

inherit fixheadtails eutils

DESCRIPTION="syslog replacement with advanced filtering features"

HOMEPAGE="http://www.balabit.com/products/syslog_ng/"

SRC_URI="http://www.balabit.com/downloads/syslog-ng/${PV%.*}/src/${P}.tar.gz"

LICENSE="GPL-2"

SLOT="0"

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"

IUSE="hardened selinux static tcpd"

RDEPEND=">=dev-libs/libol-0.3.16

   tcpd? ( >=sys-apps/tcp-wrappers-7.6 )"

DEPEND="${RDEPEND}

   sys-devel/flex"

PROVIDE="virtual/logger"

src_unpack() {

   unpack ${A}

   cd "${S}"

        ## JC: Apply the syslog-ng-anon patch

        epatch "${FILESDIR}"/syslog-ng-anon.diff

        epatch "${FILESDIR}"/syslog-ng-anon2.diff

   ht_fix_file configure

   # fix for bugs #104538 and bug #104475

   sed -i \

      -e "s:utils/::" \

      -e "s:--local-:--:" \

      configure \

      || die "sed failed"

   cd "${S}/doc/sgml"

   tar xzf syslog-ng.html.tar.gz || die "tar failed"

}

src_compile() {

   econf \

      --disable-dependency-tracking \

      --with-libol=/usr/bin \

      $(use_enable static full-static) \

      $(use_enable tcpd tcp-wrapper) || die "econf failed"

   emake || die "emake failed"

}

src_install() {

   emake DESTDIR="${D}" install || die "emake install failed"

   dodoc AUTHORS ChangeLog INSTALL NEWS PORTS README \

      doc/{syslog-ng.conf.sample,syslog-ng.conf.demo,stresstest.sh} \

      doc/sgml/syslog-ng.txt contrib/syslog2ng "${FILESDIR}/syslog-ng.conf."*

   dohtml doc/sgml/syslog-ng.html/*

   # Install default configuration

   insinto /etc/syslog-ng

   if use hardened || use selinux ; then

      newins "${FILESDIR}/syslog-ng.conf.gentoo.hardened" syslog-ng.conf

   else

      newins "${FILESDIR}/syslog-ng.conf.gentoo" syslog-ng.conf

   fi

   # Install snippet for logrotate, which may or may not be installed

   insinto /etc/logrotate.d

   newins "${FILESDIR}/syslog-ng.logrotate" syslog-ng

   newinitd "${FILESDIR}/syslog-ng.rc6-r1" syslog-ng

}

```

----------

