This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

FormerMember
FormerMember

I'm trying to set a MESSAGE filter looking for the string "src=10.1.1." - then I want to append a regex to limit the IP Addresses in this Rule.

For example, the field input I use is:

"src=10.1.1."[1-9]|[1-4][0-9] (src=10.1.1.1 thru src=10.1.1.149)

but all IP's are visible.

For testing, I use "src=10.1.1."[2], and make sure the test string IP Address is 10.1.1.2 - test passes.

So I change the string to "src=10.1.1."[4], and force an event on that server. It appears in the messages - but so still do all the other IP's.

Can someone identify why this regex is not working?

Thx

  • Hello alarainc,

    The first thing you need to do is move your expression within the double-quotes.  Example: "src=10.1.1.[2]"

    The second thing you need to do is escape the periods. Example: "src=10\.1\.1\.[2]"

    To look for  10.1.1.0 to 10.1.1.149, I believe the following should work:

    "src=10\.1\.1\.[0-9]|[0-9][0-9]|[0-1][0-4][0-9]"

    Let me know if this works.

    Sincerely,

    Chris Foley | Support Representative
    SolarWinds | IT Management, Inspired By You
    Support:866.530.8040 || Fax:512.857.0125

  • FormerMember
    0 FormerMember in reply to Fodome

    Thanks for your help.

    Unfortunately that didn't work, so I tried to simplify things by using a single placeholder, i.e.

    "src=10.1.1."[0-9] and some variations.

    The TEST button would occassionally, but the filter was never as I needed.

    I then noticed I had the rule TYPE set to COMPLEX vs RegExp.

    It started working better after this! Doh!

    But the filter was still allowing 10.1.1.1, 10.1.1.2, etc - but also 10.1.1.1x and 10.1.1.xx, etc.

    I finally restricted the IP address to single or double digits by including the next character in the string (a parenthesis), and repeated the OR variations as follows:

    For IP Range 10.1.1.1 - 10.1.1.49 = "src=10.1.1.[1-9](" "src=10.1.1.[1-4][[0-9]("

    For IP Range 10.1.1.50 - 10.1.1.25x = "src=10.1.1.[5-9][[0-9](" "src=10.1.1.[1-2][0-5][0-9]("

    May not be the most efficient way - but it's working.

  • Cool.  Thanks for sharing.

    Chris Foley | Support Representative
    SolarWinds | IT Management, Inspired By You
    Support:866.530.8040 || Fax:512.857.0125