Tried the script with my example and it didn't indicate I needed to escape anything; "^kernel: type=[0-9]+ audit"
Yet when I tried the following in my .conf file it didn't catch (suppress) any records. :msg, regex, "^kernel: type=[0-9]+ audit" stop -Chris Bartram "The purpose of life is not to be happy. It is to be useful, to be honorable, to be compassionate, to have it make some difference that you have lived and lived well". (Ralph Waldo Emerson) -------------------------------------------- On Mon, 12/2/13, Rainer Gerhards <[email protected]> wrote: Subject: Re: [rsyslog] regex filter syntax for v7 To: "rsyslog-users" <[email protected]> Date: Monday, December 2, 2013, 11:04 AM On Mon, Dec 2, 2013 at 3:28 PM, Rainer Gerhards <[email protected]>wrote: > On Mon, Dec 2, 2013 at 1:39 PM, Chris Bartram <[email protected]>wrote: > >> Still looking for help on this. As I said I need REGEX syntax (including >> characters that might need escaping) and didn't see anything helpful in the >> online docs. >> >> > Well, basically you need to know how to form your POSIX ERE regexp. Once > you have this string, you need to include it in a proper constant. For > example a backslash is escape character, so you need to escape it by using > two backslashes (that's the same in any programming and config language, > it's not rsyslog-specific...). > > Let me see if we can do a quick online tool for the escaping... > I have written a small escaper. It's available at: http://www.rsyslog.com/rainerscript-constant-string-escaper/ Not 100% perfect yet, but I think it escapes everything correctly (but I need to verify it against rsyslog code, not happen today). If you have problems, let me know. Rainer > > Rainer > > >> Thanks, >> Chris Bartram >> >> >> "The purpose of life is not to be happy. It is to be useful, to be >> honorable, to be compassionate, to have it make some difference that you >> have lived and lived well". (Ralph Waldo Emerson) >> >> -------------------------------------------- >> On Wed, 11/27/13, Chris Bartram <[email protected]> wrote: >> >> Subject: [rsyslog] regex filter syntax for v7 >> To: "rsyslog-users" <[email protected]> >> Date: Wednesday, November 27, 2013, 12:24 AM >> >> >> Can someone provide me an example of a working regex (has to >> be regex) filter I can use in my v7 rsyslog.conf on a RHEL5 >> server to ignore/drop messages meeting a specific >> expression? >> >> Examples I've tried didn't work; and I see notes in other >> forums about needing to double-escape characters in the >> regex? >> >> **It would be extra helpful if the regex example could use >> perl-like syntax? something like ^kernel\[\d+\] XYZ >> >> Thanks! >> -Chris Bartram >> >> >> "The purpose of life is not to be happy. It is to be useful, >> to be honorable, to be compassionate, to have it make some >> difference that you have lived and lived well". (Ralph Waldo >> Emerson) >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED >> by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE >> and DO NOT POST if you DON'T LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
