Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Using Strings and Regular Expressions to Refine the Set of Logged Messages

 

The predefined facilities group together related messages, but you can also match messages against strings and regular expressions to refine which messages from a facility are logged to a file, a user terminal, or a remote destination.

The match-strings and match configuration statements enable you to match system log messages against a string or regular expression, respectively. You can include these statements at the following hierarchy levels:

  • [edit system syslog file filename] (for a file)

  • [edit system syslog user (username | *)] (for a specific user session or for all user sessions on a terminal)

  • [edit system syslog host (hostname | other-routing-engine)] (for a remote destination)

To evaluate messages against a regular expression and only log matching messages to the given destination, include the match statement and specify the regular expression:

Starting with Junos OS Release 16.1, you can use simple string comparisons to more efficiently filter messages, because it is less CPU-intensive than matching against complex regular expressions. To specify the text string that must appear in a message for the message to be logged to a destination, include the match-strings statement and specify the matching string or list of strings:

The match-strings and match statements select messages with the configured facility and severity that match the given string or regular expression. The match-strings statement performs a simple string comparison, and as a result, it is less CPU-intensive than using the match statement to match against complex regular expressions. If you configure both the match and match-strings statements for the same destination, Junos OS evaluates the match-strings condition first; if the message includes any of the configured substrings, then the message is logged and the match condition is not evaluated. If the match-strings condition is not satisfied, then the system evaluates the message against the regular expression in the match configuration statement.

When specifying regular expressions for the match statement, use the notation defined in POSIX Standard 1003.2 for extended (modern) UNIX regular expressions. Explaining regular expression syntax is beyond the scope of this document, but POSIX standards are available from the Institute of Electrical and Electronics Engineers (IEEE, http://www.ieee.org).

Table 1 specifies which character or characters are matched by some of the regular expression operators that you can use in the match statement. In the descriptions, the term term refers to either a single alphanumeric character or a set of characters enclosed in square brackets, parentheses, or braces.

Note

The match statement is not case-sensitive.

Table 1: Regular Expression Operators for the match Statement

OperatorMatches

. (period)

One instance of any character except the space.

* (asterisk)

Zero or more instances of the immediately preceding term.

+ (plus sign)

One or more instances of the immediately preceding term.

? (question mark)

Zero or one instance of the immediately preceding term.

| (pipe)

One of the terms that appears on either side of the pipe operator.

! (exclamation point)

Any string except the one specified by the expression, when the exclamation point appears at the start of the expression. Use of the exclamation point is Junos OS-specific.

^ (caret)

Start of a line, when the caret appears outside square brackets.

One instance of any character that does not follow it within square brackets, when the caret is the first character inside square brackets.

$ (dollar sign)

End of a line.

[ ] (paired square brackets)

One instance of one of the enclosed alphanumeric characters. To indicate a range of characters, use a hyphen ( - ) to separate the beginning and ending characters of the range. For example, [a-z0-9] matches any letter or number.

( ) (paired parentheses)

One instance of the evaluated value of the enclosed term. Parentheses are used to indicate the order of evaluation in the regular expression.

Using Strings and Regular Expressions

Filter messages that belong to the interactive-commands facility, directing those that include the string configure to the terminal of the root user:

Messages like the following appear on the root user’s terminal when a user issues a configure command to enter configuration mode:

Filter messages that belong to the daemon facility and have a severity of error or higher, directing them to the file /var/log/process-errors. Omit messages generated by the SNMP process (snmpd), instead directing them to the file /var/log/snmpd-errors: