On Tue, Dec 3, 2013 at 1:37 AM, Chris Bartram <[email protected]>wrote:
> Tried the script with my example and it didn't indicate I needed to escape > anything; "^kernel: type=[0-9]+ audit" > > Yet when I tried the following in my .conf file it didn't catch (suppress) > any records. > > :msg, regex, "^kernel: type=[0-9]+ audit" stop > > By the way: this is just an old-style filter (which is fine). To test it, you can use the regex checker tool at http://www.rsyslog.com/regex But you need to know, as David said, the actual data that is part of MSG (and I agree with David that "kernel" is most probably not part of it). As a brute-force, you can check against rawmsg and see what happens. Rainer > -Chris Bartram > > "The purpose of life is not to be happy. It is to be useful, to be > honorable, to be compassionate, to have it make some difference that you > have lived and lived well". (Ralph Waldo Emerson) > > -------------------------------------------- > On Mon, 12/2/13, Rainer Gerhards <[email protected]> wrote: > > Subject: Re: [rsyslog] regex filter syntax for v7 > To: "rsyslog-users" <[email protected]> > Date: Monday, December 2, 2013, 11:04 AM > > On Mon, Dec 2, 2013 at 3:28 PM, > Rainer Gerhards <[email protected]>wrote: > > > On Mon, Dec 2, 2013 at 1:39 PM, Chris Bartram <[email protected] > >wrote: > > > >> Still looking for help on this. As I said I need > REGEX syntax (including > >> characters that might need escaping) and didn't see > anything helpful in the > >> online docs. > >> > >> > > Well, basically you need to know how to form your POSIX > ERE regexp. Once > > you have this string, you need to include it in a > proper constant. For > > example a backslash is escape character, so you need to > escape it by using > > two backslashes (that's the same in any programming and > config language, > > it's not rsyslog-specific...). > > > > Let me see if we can do a quick online tool for the > escaping... > > > > I have written a small escaper. It's available at: > > http://www.rsyslog.com/rainerscript-constant-string-escaper/ > > Not 100% perfect yet, but I think it escapes everything > correctly (but I > need to verify it against rsyslog code, not happen today). > If you have > problems, let me know. > > Rainer > > > > > > Rainer > > > > > >> Thanks, > >> Chris Bartram > >> > >> > >> "The purpose of life is not to be happy. It is to > be useful, to be > >> honorable, to be compassionate, to have it make > some difference that you > >> have lived and lived well". (Ralph Waldo Emerson) > >> > >> -------------------------------------------- > >> On Wed, 11/27/13, Chris Bartram <[email protected]> > wrote: > >> > >> Subject: [rsyslog] regex filter syntax for > v7 > >> To: "rsyslog-users" <[email protected]> > >> Date: Wednesday, November 27, 2013, 12:24 AM > >> > >> > >> Can someone provide me an example of a > working regex (has to > >> be regex) filter I can use in my v7 > rsyslog.conf on a RHEL5 > >> server to ignore/drop messages meeting a > specific > >> expression? > >> > >> Examples I've tried didn't work; and I see > notes in other > >> forums about needing to double-escape > characters in the > >> regex? > >> > >> **It would be extra helpful if the regex > example could use > >> perl-like syntax? something like > ^kernel\[\d+\] XYZ > >> > >> Thanks! > >> -Chris Bartram > >> > >> > >> "The purpose of life is not to be happy. It > is to be useful, > >> to be honorable, to be compassionate, to have > it make some > >> difference that you have lived and lived > well". (Ralph Waldo > >> Emerson) > >> > _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, > posts are ARCHIVED > >> by a myriad of sites beyond our control. > PLEASE UNSUBSCRIBE > >> and DO NOT POST if you DON'T LIKE THAT. > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are > ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and > DO NOT POST if you > >> DON'T LIKE THAT. > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE > and DO NOT POST if you DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
