I'm having some trouble getting rsyslog to accept the syntax... if $programname == 'apache' and $msg regex \" 2[0-9][0-9] [0-9]+ \" then @loghost & ~
I was trying a bunch of different versions of above and wasn't able to get any of them to work correctly. 0273.869497216:main thread: skipped whitespace, stream now 'regex " 4[0-9][0-9] " then @loghost' 0273.869510366:main thread: skipped whitespace, stream now 'regex " 4[0-9][0-9] " then @loghost' 0273.869523524:main thread: parser has an invalid word (token) 'regex' Can you use regex with expression based filters? Is there a way to do what I'm trying to do? Thanks, Jonathan On Fri, Sep 23, 2011 at 4:05 PM, Sean Conner <[email protected]> wrote: > It was thus said that the Great [email protected] once stated: >> On Fri, 23 Sep 2011, Jonathan Sabo wrote: >> >> without changing the format, you can do a regex match for " 4[0-9][0-9] " >> and probably get pretty good results (you may get some false positives, >> but by including the spaces before and after the value it hopefully won't >> be too bad) > > A better regex would be > > \" 4[0-9][0-9] [0-9]+ \" > > Just doing a " 4[0-9][0-9] " could possibly a valid response that was in > the 400-409 byte range. What I gave above at least does a better matching > of that part of the line (if you are using one of the default formats from > Apache). > > -spc > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
