as I said earlier, I think this is because kernel: is the programname, it's not
part of the message, so when you look for it in msg, you aren't ever going to
find it.
output some of the logs with the format RSYSLOG_DebugFormat and look at what
gets put into each of the variables, it will help a lot when you run into issues
like this.
David Lang
On Mon, 2 Dec 2013, Chris Bartram wrote:
Tried the script with my example and it didn't indicate I needed to escape anything;
"^kernel: type=[0-9]+ audit"
Yet when I tried the following in my .conf file it didn't catch (suppress) any
records.
:msg, regex, "^kernel: type=[0-9]+ audit" stop
-Chris Bartram
"The purpose of life is not to be happy. It is to be useful, to be honorable, to be
compassionate, to have it make some difference that you have lived and lived well".
(Ralph Waldo Emerson)
--------------------------------------------
On Mon, 12/2/13, Rainer Gerhards <[email protected]> wrote:
Subject: Re: [rsyslog] regex filter syntax for v7
To: "rsyslog-users" <[email protected]>
Date: Monday, December 2, 2013, 11:04 AM
On Mon, Dec 2, 2013 at 3:28 PM,
Rainer Gerhards <[email protected]>wrote:
> On Mon, Dec 2, 2013 at 1:39 PM, Chris Bartram <[email protected]>wrote:
>
>> Still looking for help on this. As I said I need
REGEX syntax (including
>> characters that might need escaping) and didn't see
anything helpful in the
>> online docs.
>>
>>
> Well, basically you need to know how to form your POSIX
ERE regexp. Once
> you have this string, you need to include it in a
proper constant. For
> example a backslash is escape character, so you need to
escape it by using
> two backslashes (that's the same in any programming and
config language,
> it's not rsyslog-specific...).
>
> Let me see if we can do a quick online tool for the
escaping...
>
I have written a small escaper. It's available at:
http://www.rsyslog.com/rainerscript-constant-string-escaper/
Not 100% perfect yet, but I think it escapes everything
correctly (but I
need to verify it against rsyslog code, not happen today).
If you have
problems, let me know.
Rainer
>
> Rainer
>
>
>> Thanks,
>> Chris Bartram
>>
>>
>> "The purpose of life is not to be happy. It is to
be useful, to be
>> honorable, to be compassionate, to have it make
some difference that you
>> have lived and lived well". (Ralph Waldo Emerson)
>>
>> --------------------------------------------
>> On Wed, 11/27/13, Chris Bartram <[email protected]>
wrote:
>>
>> Subject: [rsyslog] regex filter syntax for
v7
>> To: "rsyslog-users" <[email protected]>
>> Date: Wednesday, November 27, 2013, 12:24 AM
>>
>>
>> Can someone provide me an example of a
working regex (has to
>> be regex) filter I can use in my v7
rsyslog.conf on a RHEL5
>> server to ignore/drop messages meeting a
specific
>> expression?
>>
>> Examples I've tried didn't work; and I see
notes in other
>> forums about needing to double-escape
characters in the
>> regex?
>>
>> **It would be extra helpful if the regex
example could use
>> perl-like syntax? something like
^kernel\[\d+\] XYZ
>>
>> Thanks!
>> -Chris Bartram
>>
>>
>> "The purpose of life is not to be happy. It
is to be useful,
>> to be honorable, to be compassionate, to have
it make some
>> difference that you have lived and lived
well". (Ralph Waldo
>> Emerson)
>>
_______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list,
posts are ARCHIVED
>> by a myriad of sites beyond our control.
PLEASE UNSUBSCRIBE
>> and DO NOT POST if you DON'T LIKE THAT.
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are
ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and
DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
