On Tue, 3 Dec 2013, Rainer Gerhards wrote:
On Tue, Dec 3, 2013 at 1:37 AM, Chris Bartram <[email protected]>wrote:
Tried the script with my example and it didn't indicate I needed to escape
anything; "^kernel: type=[0-9]+ audit"
Yet when I tried the following in my .conf file it didn't catch (suppress)
any records.
:msg, regex, "^kernel: type=[0-9]+ audit" stop
By the way: this is just an old-style filter (which is fine). To test it,
you can use the regex checker tool at
http://www.rsyslog.com/regex
But you need to know, as David said, the actual data that is part of MSG
(and I agree with David that "kernel" is most probably not part of it). As
a brute-force, you can check against rawmsg and see what happens.
wouldn't rawmsg include the timestamp and hostname, and so wouldn't match
^kernel either?
David Lang
Rainer
-Chris Bartram
"The purpose of life is not to be happy. It is to be useful, to be
honorable, to be compassionate, to have it make some difference that you
have lived and lived well". (Ralph Waldo Emerson)
--------------------------------------------
On Mon, 12/2/13, Rainer Gerhards <[email protected]> wrote:
Subject: Re: [rsyslog] regex filter syntax for v7
To: "rsyslog-users" <[email protected]>
Date: Monday, December 2, 2013, 11:04 AM
On Mon, Dec 2, 2013 at 3:28 PM,
Rainer Gerhards <[email protected]>wrote:
> On Mon, Dec 2, 2013 at 1:39 PM, Chris Bartram <[email protected]
wrote:
>
>> Still looking for help on this. As I said I need
REGEX syntax (including
>> characters that might need escaping) and didn't see
anything helpful in the
>> online docs.
>>
>>
> Well, basically you need to know how to form your POSIX
ERE regexp. Once
> you have this string, you need to include it in a
proper constant. For
> example a backslash is escape character, so you need to
escape it by using
> two backslashes (that's the same in any programming and
config language,
> it's not rsyslog-specific...).
>
> Let me see if we can do a quick online tool for the
escaping...
>
I have written a small escaper. It's available at:
http://www.rsyslog.com/rainerscript-constant-string-escaper/
Not 100% perfect yet, but I think it escapes everything
correctly (but I
need to verify it against rsyslog code, not happen today).
If you have
problems, let me know.
Rainer
>
> Rainer
>
>
>> Thanks,
>> Chris Bartram
>>
>>
>> "The purpose of life is not to be happy. It is to
be useful, to be
>> honorable, to be compassionate, to have it make
some difference that you
>> have lived and lived well". (Ralph Waldo Emerson)
>>
>> --------------------------------------------
>> On Wed, 11/27/13, Chris Bartram <[email protected]>
wrote:
>>
>> Subject: [rsyslog] regex filter syntax for
v7
>> To: "rsyslog-users" <[email protected]>
>> Date: Wednesday, November 27, 2013, 12:24 AM
>>
>>
>> Can someone provide me an example of a
working regex (has to
>> be regex) filter I can use in my v7
rsyslog.conf on a RHEL5
>> server to ignore/drop messages meeting a
specific
>> expression?
>>
>> Examples I've tried didn't work; and I see
notes in other
>> forums about needing to double-escape
characters in the
>> regex?
>>
>> **It would be extra helpful if the regex
example could use
>> perl-like syntax? something like
^kernel\[\d+\] XYZ
>>
>> Thanks!
>> -Chris Bartram
>>
>>
>> "The purpose of life is not to be happy. It
is to be useful,
>> to be honorable, to be compassionate, to have
it make some
>> difference that you have lived and lived
well". (Ralph Waldo
>> Emerson)
>>
_______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list,
posts are ARCHIVED
>> by a myriad of sites beyond our control.
PLEASE UNSUBSCRIBE
>> and DO NOT POST if you DON'T LIKE THAT.
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are
ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and
DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
