3 Replies Latest reply: Mar 22, 2012 3:53 PM by Fodome RSS

Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

alarainc

I'm trying to set a MESSAGE filter looking for the string "src=10.1.1." - then I want to append a regex to limit the IP Addresses in this Rule.

For example, the field input I use is:

"src=10.1.1."[1-9]|[1-4][0-9] (src=10.1.1.1 thru src=10.1.1.149)

but all IP's are visible.

For testing, I use "src=10.1.1."[2], and make sure the test string IP Address is 10.1.1.2 - test passes.

So I change the string to "src=10.1.1."[4], and force an event on that server. It appears in the messages - but so still do all the other IP's.

Can someone identify why this regex is not working?

Thx

  • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding
    Fodome

    Hello alarainc,

    The first thing you need to do is move your expression within the double-quotes.  Example: "src=10.1.1.[2]"

    The second thing you need to do is escape the periods. Example: "src=10\.1\.1\.[2]"

    To look for  10.1.1.0 to 10.1.1.149, I believe the following should work:

    "src=10\.1\.1\.[0-9]|[0-9][0-9]|[0-1][0-4][0-9]"

    Let me know if this works.

    Sincerely,

    Chris Foley | Support Representative
    SolarWinds | IT Management, Inspired By You
    Support:866.530.8040 || Fax:512.857.0125

    • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding
      alarainc

      Thanks for your help.

      Unfortunately that didn't work, so I tried to simplify things by using a single placeholder, i.e.

      "src=10.1.1."[0-9] and some variations.

      The TEST button would occassionally, but the filter was never as I needed.

      I then noticed I had the rule TYPE set to COMPLEX vs RegExp.

      It started working better after this! Doh!

      But the filter was still allowing 10.1.1.1, 10.1.1.2, etc - but also 10.1.1.1x and 10.1.1.xx, etc.

      I finally restricted the IP address to single or double digits by including the next character in the string (a parenthesis), and repeated the OR variations as follows:

      For IP Range 10.1.1.1 - 10.1.1.49 = "src=10.1.1.[1-9](" "src=10.1.1.[1-4][[0-9]("

      For IP Range 10.1.1.50 - 10.1.1.25x = "src=10.1.1.[5-9][[0-9](" "src=10.1.1.[1-2][0-5][0-9]("

      May not be the most efficient way - but it's working.