System log filter not filtering properly



  • The filter in the system log is not filtering properly.

    If I filter on 192.168.1.2, I see entries in the log for 192.168.1.2, 192.168.1.20 and 192.168.1.200.

    I tried using '192.168.1.2 ' ie a space after the 2, no joy, same is seen in ports filter, ie put a 5 in the port filter and it shows all ports with a 5 in it.

    2.2-RC (amd64)
    built on Fri Jan 16 11:53:08 CST 2015


  • Banned

    That works exactly as it should. Kindly read the linked PCRE manual to get exact match…



  • Working as programmed and working as the user expects are two different things.

    Anyway having been through the http://php.net/manual/en/language.expressions.php and looking at the page source I see the ip address fields fields are text, so looking at this section
    "A very common type of expressions are comparison expressions. These expressions evaluate to either FALSE or TRUE. PHP supports > (bigger than), >= (bigger than or equal to), == (equal), != (not equal), < (smaller than) and <= (smaller than or equal to). The language also supports a set of strict equivalence operators: === (equal to and same type) and !== (not equal to or not same type). These expressions are most commonly used inside conditional execution, such as if statements."

    I'm wouldnt expect an equal or greater/less than to be used ie <= or >=, but I would expect an equal or not equal to be used, ie == or !==

    so I'm still  known the wiser as to how 192.168.100.200 is equal to 192.168.100.2 for example.

    The only thing I've learnt is php also supports ternary conditional operators.


  • Banned

    I already linked the proper docs, which - btw - are linked from the logs page as well.  http://php.net/manual/en/language.expressions.php is totally irrelevant.



  • Yeah I know theres a link just below the filter section, the thing is this is working more like an instring/substring function which has different behaviours.

    I'm sure this worked differently in v1.x, I'll have to go check.


  • Rebel Alliance Developer Netgate

    It's working as it always has on 2.1.x and 2.2.

    When you filter, it's filtering not on an IP address as a distinct object, but matching the string.

    Think of it as "192.168.100.2", or ".192.168.100.2." to be more regex-like.

    If you want it to match only what you enter, anchor it and escape it in proper regex style. "^192.168.100.2$"



  • Thats my bad, I should have realised it was regex cant remember last time I called it "regular expressions" so I was trying logical expression ie =+-<>&

    The thing that threw me, is there are only 35 chars for the ip addresses which isnt enough space for ipv6.

    Anyway for anyone else interested in how regex works, the link has some good examples to explain.
    http://www.proftpd.org/docs/howto/Regex.html

    or a quick overview can be seen below.

    ^ caret matches the start of a string, eg ^192 will match all entries that start with 192, ^10 will match all entries that start with 10, although not relevant on this page, but in other applications ^&foo will match all entries that start with &foo and ^@domain will match all entries that start with @domain

    $ dollar sign is similar but the opposite to caret in that its used to match the end of a string, eg 10$ will match all entries that finish with 10, @domain$ will match all entries that finish with @domain.

    . period matches any single character eg 1.2 will match the 3 digit numbers  112, 122, 132, all the way up to 192, s.f will match any 3 letter word that starts with s and ends with f, eg saf, sbf, scf, sdf and so on.


    Numerics in square brackets can also contain a range eg [0-9] will match all entries that one or more of the numbers in the range specified inside the square brackets.

    | Vertical pipe/bar is an either or operator eg ^192|21$ will match either all entries that start with 192 or all entries that finish with 21.

    \ Backslash is used to prevent the special meaning of operators eg . will make . (period/fullstop) behave like a period/fullstop and not a single char match, hence the . in the example Jimp provided. ^ will prevent the caret operating as a match the start of a string eg ^foo will find all entries that contain ^foo.

    ? question mark will match once or not at all, eg 19?2 will return 192 and 12 only, he?llo will return hello or hllo

    • asterisk will match as many times as possible or not at all eg 192* will return 192, 19, 1922, 19222 and so on.
    • will match at least once 192+ will return 192,1912, 1922, 1932 and so on.

    *, +, ? are acted upon first, followed by any concatenations and then finally |

    fwiw.


Log in to reply