[logs] Error messages from syslogd
Mordechai T. Abzug
morty at frakir.org
Wed Jul 11 17:13:14 PDT 2007
On Thu, Jul 12, 2007 at 09:55:14AM +1200, Russell Fulton wrote:
> http://lists.jammed.com/loganalysis/2002/06/0015.html
This seems to assume that regexes are written in in old-school regexp
rather than a more advanced regex engine, such as Perl's. Which is
odd, since Perl is explicitly mentioned in the article. Perl easily
lets you say things like \s (arbitrary whitespace, including space,
tab, and newline), \w (alphanumeric characters), \d (digit), etc.
And this can be taken to the next level. I've written and have been
maintaining a (free) tool since 1999 that, in its current version,
includes a GUI regex editor, with variable subpatterns. This lets the
user select a section of an "unknown" message that looks like it
should be generic, then selects the "type" of the regex, to quickly
build generic regexes. The result is reasonably readable even to a
non-programmer. For example:
login: LOGIN ON ($pat{file}) BY ($pat{user})
. . .where $pat{file} and $pat{user} are canned subpatterns that
describe typical files and usernames, respectively. There are similar
patterns for whitespace, mail_address, zone, and the like. This lets
someone who is not a programmer at all, with just a few minutes of
training, write reasonably advanced regexes. Don't know if other
people/products have done similar things.
>From a performance perspective, yes, you will definitely get better
performance out of a lexx/yacc-based engine than Perl's regex engine.
However, I submit that for small to medium sized problem sets, you are
better off with being able to produce configurations rapidly than
worrying about performance.
- Morty
More information about the LogAnalysis
mailing list