journald-query: also do regex tests case insensitive

[kbucheli]

I had to search a bit until I understood why

[root@lx-dt-01 ~]# journalctl --boot --reverse --priority=emerg..err --since=-8h --unit="sshd.service"
-- Logs begin at Mon 2024-01-22 03:07:35 CET, end at Wed 2024-03-06 17:12:24 CET. --
Mär 06 13:23:57 lx-dt-01.psi.ch sshd[1203315]: error: kex_exchange_identification: Connection closed by remote host
[root@lx-dt-01 ~]# 

is not matched by the regex

error: kex_exchange_identification: Connection closed by remote host

[markuslf]

I rejected the PR because we don't want to implement a hardcoded lowercase here, and leave it now up to the admin how exactly he wants to match. If you want to match case-insensitively, in --ignore-regex, you can use the (?i) switch. The plugin and the readme have been updated in the help section to reflect that.

[kbucheli]

It looks like there is a misunderstanding. I see I did not explicitly state the problem as such, I just provided an example.

The problem is that the regex is applied on the lower cased log message. This does not make much sense. And it puzzled me as admin very much when I have a regex with the exact message at it does not match. And all regex tests you do with any tester/test code outside matches...

There are two sensible options on how to deal with this:

• apply the regex to the original message (then it very much makes sense to leave it to the admin how to match the regex)
• apply the regex case insensitive to the lower cased message

For which of the above options shall I provide a PR?

[markuslf]

You are absolutely right. Thanks for offering a PR, but I just made the plugin case-sensitive in every way (which is much more consistent and expected behavior).

[kbucheli]

Perfect, thank you very much!