Hello and excuse my necromancy, I'm having the same problem here and I've tried to escape the newline with something like this:
%message:char-to:x0a% And I still can't get the messages parsed. Any ideas on how to parse Java logs with a rule like? Something in the lines of: rule:= %time:word% %thread:word% %severity:word% %class:word% - %message:here-would-be-the-free-text-until-the-end-of-the-line Ideally, I'd read these messages with imfile and ReadMode="1", and parse stacktraces nicely as well. But that would be a different milestone :) Best regards, Radu 2013/5/30 David Lang <[email protected]> > On Tue, 28 May 2013, [email protected] wrote: > > Hello list! >> >> [This message is in response to http://lists.adiscon.net/** >> pipermail/rsyslog/2013-March/**032011.html<http://lists.adiscon.net/pipermail/rsyslog/2013-March/032011.html>. >> I hope the "in-reply-to" header is taken over from the mailto-url to >> Outlook.] >> >> >> I am searching for the same (or similar) thing. Neither lognorm nor >> rsyslog's property-replacer options allow me to extract a string "from a >> certain field till the end". In my case messages are of the form >> >> May 28 17:46:45: [0001]: %SNMP-6-INFO: authenticationFailure notification >> sent to 10.11.12.13:123 >> >> (yes, the date is also part of the message, so in the raw message the >> date can be found twice). >> >> The %SNMP-6-INFO part varies and could as well be %AAA-6-INFO or other >> strings, so a simple %msg:40:$% won't do the trick. Also the field-based >> extraction won't help because there is no such thing as %msg:F,58:6-% >> (which ideally would output the 6th and all subsequent fields separated by >> a ":", similar to the unix cut command). >> >> So I'm struggling to get such a seemingly easy task as "everything from >> there till the end" configured in rsyslog. Is there really no way other >> than (resource hungry) regular expressions? >> > > hmm, there is the 'from here to character X' option, what if you make > character X be a newline? > > David Lang > > > > Thanks and best regards, >> Alex >> >> PS: There is something quite odd in the lognorm help. In chapter >> "Rulebase" there is an expression "%INBOUND:char-to:-\x3a". My >> understanding is that for char-to the additional information field must be >> a single char, but here it is "-\x3a", i.e. two chars (dash and colon). >> >> PPS: Also, the help text for char-to is quite misleading, stating "the >> field will be defined by the sign in the additional information" while it >> should probably be more something akin to "the field will be defined by >> everything until, but excluding, the sign in the additional information". >> >> >> >> Unfortunately, I can't match only part of a string with liblognorm so I >>> must match everything ... except that everything after the "05 :" part is >>> not matchable. >>> Ideally, this would be double quoted and thus, I could use the >>> quoted-string identifier but unfortunately, this is not the case. >>> >>> >>> Is there a way to do something like "char-to" which can take the whole >>> string until the end of the line ? >>> I tried something like this : %message:char-to:A% but it doesn't work :( >>> >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
