Using Regular Expressions to Refine the Set of Logged Messages

The predefined facilities group together related messages, but you can also use regular expression matching to specify more exactly which messages from a facility are logged to a file, a user terminal, or a remote destination.

To specify the text string that must (or must not) appear in a message for the message to be logged to a destination, include the match statement and specify the regular expression which the text string must match:

match "regular-expression";

You can include this statement at the following hierarchy levels:

• [edit system syslog file filename] (for a file)
• [edit system syslog user (username | *)] (for the terminal session of one or all users)
• [edit system syslog host (hostname | other-routing-engine)] (for a remote destination)

When you specify the regular expression, use the notation defined in POSIX Standard 1003.2 for extended (modern) UNIX regular expressions. Explaining regular expression syntax is beyond the scope of this document, but POSIX standards are available from the Institute of Electrical and Electronics Engineers (IEEE, http://www.ieee.org).

Table 13 specifies which character or characters are matched by some of the regular expression operators that you can use in the match statement. In the descriptions, the term term refers to either a single alphanumeric character or a set of characters enclosed in square brackets, parentheses, or braces.

NOTE: The match statement is not case-sensitive.

 

Table 13: Regular Expression Operators for the match Statement 

Operator	Matches
. (period)	One instance of any character except the space.
* (asterisk)	Zero or more instances of the immediately preceding term.
+ (plus sign)	One or more instances of the immediately preceding term.
? (question mark)	Zero or one instance of the immediately preceding term.
| (pipe)	One of the terms that appear on either side of the pipe operator.
! (exclamation point)	Any string except the one specified by the expression, when the exclamation point appears at the start of the expression. Use of the exclamation point is JUNOS-specific.
^ (caret)	The start of a line, when the caret appears outside square brackets. One instance of any character that does not follow it within square brackets, when the caret is the first character inside square brackets.
$ (dollar sign)	The end of a line.
[ ] (paired square brackets)	One instance of one of the enclosed alphanumeric characters. To indicate a range of characters, use a hyphen ( - ) to separate the beginning and ending characters of the range. For example, [a-z0-9] matches any letter or number.
( ) (paired parentheses)	One instance of the evaluated value of the enclosed term. Parentheses are used to indicate the order of evaluation in the regular expression.

Example: Using Regular Expressions

Filter messages that belong to the interactive-commands facility, directing those that include the string configure to the terminal of the root user:

[edit system syslog]

user root {

    interactive-commands any;

    match ".*configure.*";

}

Messages like the following appear on the root user's terminal when a user issues a configure command to enter configuration mode:

timestamp router-name mgd[PID]: UI_CMDLINE_READ_LINE: User 'user', command 
'configure private'

Filter messages that belong to the daemon facility and have severity error or higher, directing them to the file /var/log/process-errors. Omit messages generated by the snmpd process, instead directing them to the file /var/log/snmpd-errors:

[edit system syslog]

file process-errors {

    daemon error;

    match "!(.*snmpd.*)";

}

file snmpd-errors {

    daemon error;

    match ".*snmpd.*";

}