That was my thought as well. I'm not seeing anything. The whole of what is before it is:
$OptimizeForUniprocessor off $MaxMessageSize 2048k # Rsyslog plugins $ModLoad immark # provides --MARK-- message capability $ModLoad imudp # provides UDP syslog reception $ModLoad imptcp # provides Plain TCP syslog reception $ModLoad imrelp # Provides RELP syslog reception $ModLoad omrelp # Provides RELP syslog transmission $ModLoad impstats $ModLoad omelasticsearch # Queue configuration $MainMsgQueueSize 10000000 $MainMsgQueueWorkerThreads 3 # Dynafile Configuration Options $DynaFileCacheSize 100000 # Rsyslog Stats $PStatInterval 60 $PStatSeverity 7 # imptcp Global Options # File Creation Permissions $umask 0000 $DirCreateMode 0755 $FileCreateMode 0644 # Variables set $!errorlevel = re_extract($msg, '^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)', 1, 0); I'm not seeing anything that would explain why re_extract is erroring out. -- James ________________________________________ From: [email protected] [[email protected]] On Behalf Of David Lang [[email protected]] Sent: Wednesday, September 18, 2013 9:18 PM To: rsyslog-users Subject: Re: [rsyslog] Local Variables Usage Question double check the lines before this, you may have a stray quote somewhere. it's odd that it is complaining of the quote itself being invalid. David Lang On Wed, 18 Sep 2013, Boylan, James wrote: > Date: Wed, 18 Sep 2013 20:52:28 -0500 > From: "Boylan, James" <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] Local Variables Usage Question > > Changed it to ' and got the same error: > > Reading a token: 5455.907552881:7f4370bf8740: Called LogError, msg: error > during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line > 36: invalid character ''' in expression - is there an invalid escape sequence > somewhere? > rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on > or before line 36: invalid character ''' in expression - is there an invalid > escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] > 5455.907567751:7f4370bf8740: Called LogError, msg: error during parsing file > /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid > character '^' in expression - is there an invalid escape sequence somewhere? > rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on > or before line 36: invalid character '^' in expression - is there an invalid > escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] > Next token is token '(' () > Shifting token '(' () > Entering state 40 > Reading a token: 5455.907600532:7f4370bf8740: Called LogError, msg: error > during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line > 36: invalid character '.' in expression - is there an invalid escape sequence > somewhere? > rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on > or before line 36: invalid character '.' in expression - is there an invalid > escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] > Next token is token '*' () > 5455.907619472:7f4370bf8740: Called LogError, msg: error during parsing file > /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: syntax error on > token '*' > rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on > or before line 36: syntax error on token '*' [try > http://www.rsyslog.com/e/2207 ] > > > -- James > ________________________________________ > From: [email protected] [[email protected]] > On Behalf Of David Lang [[email protected]] > Sent: Wednesday, September 18, 2013 6:31 PM > To: rsyslog-users > Subject: Re: [rsyslog] Local Variables Usage Question > > try changing " to ' > > rsyslog used to be senstive to this (and required different types of quotes in > different places), I thought Rainer had changed it so it wasn't, but he may > have > missed a spot. > > David Lang > > On Wed, 18 Sep 2013, Boylan, James wrote: > >> Date: Wed, 18 Sep 2013 18:19:55 -0500 >> From: "Boylan, James" <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] Local Variables Usage Question >> >> So $! definitely works. However I'm seeing some strange behavior with >> re_extract() >> >> Using: >> set $!errorlevel = re_extract($msg, "^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)", >> 1, 0); >> >> I get the error: >> >> Reading a token: 6314.691436419:7f892e452740: Called LogError, msg: error >> during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line >> 36: invalid character '"' in expression - is there an invalid escape >> sequence somewhere? >> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, >> on or before line 36: invalid character '"' in expression - is there an >> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >> 6314.691454673:7f892e452740: Called LogError, msg: error during parsing file >> /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid >> character '^' in expression - is there an invalid escape sequence somewhere? >> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, >> on or before line 36: invalid character '^' in expression - is there an >> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >> Next token is token '(' () >> Shifting token '(' () >> Entering state 40 >> Reading a token: 6314.691491894:7f892e452740: Called LogError, msg: error >> during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line >> 36: invalid character '.' in expression - is there an invalid escape >> sequence somewhere? >> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, >> on or before line 36: invalid character '.' in expression - is there an >> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >> Next token is token '*' () >> 6314.691511476:7f892e452740: Called LogError, msg: error during parsing file >> /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: syntax error on >> token '*' >> rsyslogd: error during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, >> on or before line 36: syntax error on token '*' [try >> http://www.rsyslog.com/e/2207 ] >> >> -- James >> ________________________________________ >> From: [email protected] [[email protected]] >> On Behalf Of David Lang [[email protected]] >> Sent: Wednesday, September 18, 2013 3:15 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] Local Variables Usage Question >> >> $. local files are processed for each message as well >> >> it's the global variables (also requiring 7.5.3) that persist from one >> message >> to another. >> >> David Lang >> >> On Wed, 18 Sep 2013, Boylan, James wrote: >> >>> Ah. That would make sense. I will try with $! Then. Assuming that it is >>> processed for each message. >>> >>> -- sent from mobile -- >>> >>> ----- Reply message ----- >>> From: "Rainer Gerhards" <[email protected]> >>> To: "rsyslog-users" <[email protected]> >>> Subject: [rsyslog] Local Variables Usage Question >>> Date: Wed, Sep 18, 2013 3:06 pm >>> >>> >>> >>> I think local vars require 7.5 >>> >>> Sent from phone, thus brief. >>> Am 18.09.2013 22:04 schrieb "Boylan, James" <[email protected]>: >>> >>>> 7.4.4 >>>> >>>> --James >>>> >>>> -- sent from mobile -- >>>> >>>> ----- Reply message ----- >>>> From: "Rainer Gerhards" <[email protected]> >>>> To: "rsyslog-users" <[email protected]> >>>> Subject: [rsyslog] Local Variables Usage Question >>>> Date: Wed, Sep 18, 2013 2:45 pm >>>> >>>> >>>> >>>> Which rsyslog version? >>>> >>>> Sent from phone, thus brief. >>>> Am 18.09.2013 21:38 schrieb "Boylan, James" <[email protected]>: >>>> >>>>> That would be great. >>>>> >>>>> Now that you have pointed it out I suspect it is the function >>>> re_extract(). >>>>> >>>>> However I can't seem to get it to be happy with what I'm placing into it. >>>>> >>>>> set $.errorlevel = re_extract($msg, >>>>> "^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)",1,0); >>>>> >>>>> results with: >>>>> >>>>> Next token is token SET () >>>>> Shifting token SET () >>>>> Entering state 8 >>>>> Reading a token: 2942.763234538:7f8d47254740: Called LogError, msg: error >>>>> during parsing file /etc/rsyslog.d/rsyslog-port21516.conf, on or before >>>>> line 36: invalid character '$' in expression - is there an invalid escape >>>>> sequence somewhere? >>>>> rsyslogd: error during parsing file >>>> /etc/rsyslog.d/rsyslog-port21516.conf, >>>>> on or before line 36: invalid character '$' in expression - is there an >>>>> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >>>>> 2942.763249065:7f8d47254740: Called LogError, msg: error during parsing >>>>> file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: invalid >>>>> character '.' in expression - is there an invalid escape sequence >>>> somewhere? >>>>> rsyslogd: error during parsing file >>>> /etc/rsyslog.d/rsyslog-port21516.conf, >>>>> on or before line 36: invalid character '.' in expression - is there an >>>>> invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ] >>>>> Next token is token FUNC () >>>>> 2942.763276314:7f8d47254740: Called LogError, msg: error during parsing >>>>> file /etc/rsyslog.d/rsyslog-port21516.conf, on or before line 36: syntax >>>>> error on token 'errorlevel' >>>>> rsyslogd: error during parsing file >>>> /etc/rsyslog.d/rsyslog-port21516.conf, >>>>> on or before line 36: syntax error on token 'errorlevel' [try >>>>> http://www.rsyslog.com/e/2207 ] >>>>> Error: popping token SET () >>>>> Stack now 0 1 >>>>> Error: popping nterm conf () >>>>> Stack now 0 >>>>> Cleanup: discarding lookahead token FUNC () >>>>> Stack now 0 >>>>> 2942.763322066:7f8d47254740: Called LogError, msg: CONFIG ERROR: could >>>> not >>>>> interpret master config file '/etc/rsyslog.d/rsyslog-port21516.conf'. >>>>> rsyslogd: CONFIG ERROR: could not interpret master config file >>>>> '/etc/rsyslog.d/rsyslog-port21516.conf'. [try >>>>> http://www.rsyslog.com/e/2207 ] >>>>> 2942.763336393:7f8d47254740: GenerateLocalHostName uses 'xxxxxx' >>>>> rsyslogd: run failed with error -2207 (see rsyslog.h or try >>>>> http://www.rsyslog.com/e/2207 to learn what that number means) >>>>> >>>>> James T. Boylan >>>>> Senior Systems Engineer * Orbitz Worldwide >>>>> 500 W. Madison St. * Suite 1000 * Chicago, IL 60661 >>>>> Office: 312-260-2378 * Mobile: 312-863-9134 >>>>> >>>>> This email and any files transmitted with it are confidential and >>>> intended >>>>> solely for the use of the individual or entity to whom they are >>>> addressed. >>>>> If you have received this email in error please notify the system >>>> manager. >>>>> This message contains confidential information and is intended only for >>>> the >>>>> individual named. If you are not the named addressee you should not >>>>> disseminate, distribute or copy this e-mail. Please notify the sender >>>>> immediately by e-mail if you have received this e-mail by mistake and >>>>> delete this e-mail from your system. If you are not the intended >>>> recipient >>>>> you are notified that disclosing, copying, distributing or taking any >>>>> action in reliance on the contents of this information is strictly >>>>> prohibited. >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto: >>>>> [email protected]] On Behalf Of Rainer Gerhards >>>>> Sent: Wednesday, September 18, 2013 2:13 PM >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] Local Variables Usage Question >>>>> >>>>> No, but you can't use string property syntax in scripts. Its >>>>> >>>>> Set $.var = func($msg,...); >>>>> >>>>> I am not sure if there currently is a regex function, but think so. Can >>>>> check tomorrow when I am at a real machine. >>>>> >>>>> Sent from phone, thus brief. >>>>> Am 18.09.2013 20:52 schrieb "Boylan, James" <[email protected]>: >>>>> >>>>>> Ahh. I have to convert completely over to the new config structure to >>>>>> use variables? >>>>>> >>>>>> That explains the issue. >>>>>> >>>>>> -- James >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto: >>>>>> [email protected]] On Behalf Of Rainer Gerhards >>>>>> Sent: Wednesday, September 18, 2013 1:49 PM >>>>>> To: rsyslog-users >>>>>> Subject: Re: [rsyslog] Local Variables Usage Question >>>>>> >>>>>> You are mixing string template with script syntax! >>>>>> >>>>>> Sent from phone, thus brief. >>>>>> Am 18.09.2013 19:44 schrieb "Boylan, James" <[email protected]>: >>>>>> >>>>>>> I'm attempting to use local variables as a means to reduce the >>>>>>> overall impact of the regex per message. However I seem to be >>>>>>> running into a hurdle that I can find any documentation on. >>>>>>> >>>>>>> Specifically I'm attempting to use: >>>>>>> set $.errorlevel = >>>>>>> %msg:R,ERE,4,BLANK:^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|(.*)--end%; >>>>>>> set $.session = >>>>>>> %msg:R,ERE,8,BLANK:^(.*)([\^])([0-9.-]+)\|([A-Z]+)\|([a-zA-Z0-9.-]+) >>>>>>> \| >>>>>>> ([a-zA-Z0-9._-]+)\|([a-zA-Z0-9]*)\|([a-zA-Z0-9._-]*)[~]*([a-zA-Z0-9. >>>>>>> _- >>>>>>> ]*)\|(.*)--end%; >>>>>>> set $.appname = >>>>>>> %msg:R,ERE,1,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>>>> ._ ]+)[-_]*([A-Za-z0-9_-]*)([\^])--end%; >>>>>>> set $.appversion = >>>>>>> %msg:R,ERE,2,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>>>> ._ ]+)[-_]*([A-Za-z0-9_-]*)([\^])--end%; >>>>>>> set $.appinstance = >>>>>>> %msg:R,ERE,3,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>>>> ._ ]+)[-_]*([A-Za-z0-9_-]*)([\^])--end%; >>>>>>> set $,logtype = >>>>>>> %msg:R,ERE,4,DFLT:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9 >>>>>>> .] >>>>>>> +)[-_]*([A-Za-z0-9_]*)[_-]*[a-zA-Z0-9_-]*([\^])--end%; >>>>>>> set $.cleanmessage = >>>>>>> >>>> %msg:R,ERE,5,FIELD:^([A-Za-z0-9._-]+)\|([A-Za-z0-9._-]+)\|([A-Za-z0-9. >>>>>>> _]+)[-_]*([A-Za-z0-9_-]*)[\^](.*)--end%; >>>>>>> >>>>>>> Which results in: >>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that >>>>>>> number >>>>>>> means) >>>>>>> >>>>>>> I know it must be something in how I'm trying to define these. >>>>>>> However I haven't been able to find a definitive document on using >>>>>>> them to truly clarify it. >>>>>>> >>>>>>> Does anyone have any suggestions? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> --James >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>>>> you DON'T LIKE THAT. >>>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>> WELL: >>>>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >>>>>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>>>> LIKE THAT. >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: >>>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >>>>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >>>>> THAT. >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T LIKE THAT. >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
