3 Replies Latest reply: Mar 22, 2012 3:53 PM by Fodome RSS

    Kiwi Syslog - Filtering "Message" Using RegEx Not Responding

    alarainc

      I'm trying to set a MESSAGE filter looking for the string "src=10.1.1." - then I want to append a regex to limit the IP Addresses in this Rule.

      For example, the field input I use is:

      "src=10.1.1."[1-9]|[1-4][0-9] (src=10.1.1.1 thru src=10.1.1.149)

      but all IP's are visible.

      For testing, I use "src=10.1.1."[2], and make sure the test string IP Address is 10.1.1.2 - test passes.

      So I change the string to "src=10.1.1."[4], and force an event on that server. It appears in the messages - but so still do all the other IP's.

      Can someone identify why this regex is not working?

      Thx

        • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding
          Fodome

          Hello alarainc,

          The first thing you need to do is move your expression within the double-quotes.  Example: "src=10.1.1.[2]"

          The second thing you need to do is escape the periods. Example: "src=10\.1\.1\.[2]"

          To look for  10.1.1.0 to 10.1.1.149, I believe the following should work:

          "src=10\.1\.1\.[0-9]|[0-9][0-9]|[0-1][0-4][0-9]"

          Let me know if this works.

          Sincerely,

          Chris Foley | Support Representative
          SolarWinds | IT Management, Inspired By You
          Support:866.530.8040 || Fax:512.857.0125

            • Re: Kiwi Syslog - Filtering "Message" Using RegEx Not Responding
              alarainc

              Thanks for your help.

              Unfortunately that didn't work, so I tried to simplify things by using a single placeholder, i.e.

              "src=10.1.1."[0-9] and some variations.

              The TEST button would occassionally, but the filter was never as I needed.

              I then noticed I had the rule TYPE set to COMPLEX vs RegExp.

              It started working better after this! Doh!

              But the filter was still allowing 10.1.1.1, 10.1.1.2, etc - but also 10.1.1.1x and 10.1.1.xx, etc.

              I finally restricted the IP address to single or double digits by including the next character in the string (a parenthesis), and repeated the OR variations as follows:

              For IP Range 10.1.1.1 - 10.1.1.49 = "src=10.1.1.[1-9](" "src=10.1.1.[1-4][[0-9]("

              For IP Range 10.1.1.50 - 10.1.1.25x = "src=10.1.1.[5-9][[0-9](" "src=10.1.1.[1-2][0-5][0-9]("

              May not be the most efficient way - but it's working.