On Tue, Dec 3, 2013 at 7:57 AM, David Lang <[email protected]> wrote: > On Tue, 3 Dec 2013, Rainer Gerhards wrote: > > On Tue, Dec 3, 2013 at 1:37 AM, Chris Bartram <[email protected]> >> wrote: >> >> Tried the script with my example and it didn't indicate I needed to >>> escape >>> anything; "^kernel: type=[0-9]+ audit" >>> >>> Yet when I tried the following in my .conf file it didn't catch >>> (suppress) >>> any records. >>> >>> :msg, regex, "^kernel: type=[0-9]+ audit" stop >>> >>> >>> By the way: this is just an old-style filter (which is fine). To test >> it, >> you can use the regex checker tool at >> >> http://www.rsyslog.com/regex >> >> But you need to know, as David said, the actual data that is part of MSG >> (and I agree with David that "kernel" is most probably not part of it). As >> a brute-force, you can check against rawmsg and see what happens. >> > > wouldn't rawmsg include the timestamp and hostname, and so wouldn't match > ^kernel either? > > oh yes! I overlooked ^ -- I guess this will never match...
Rainer > David Lang > > > >> Rainer >> >> >> -Chris Bartram >>> >>> "The purpose of life is not to be happy. It is to be useful, to be >>> honorable, to be compassionate, to have it make some difference that you >>> have lived and lived well". (Ralph Waldo Emerson) >>> >>> -------------------------------------------- >>> On Mon, 12/2/13, Rainer Gerhards <[email protected]> wrote: >>> >>> Subject: Re: [rsyslog] regex filter syntax for v7 >>> To: "rsyslog-users" <[email protected]> >>> Date: Monday, December 2, 2013, 11:04 AM >>> >>> On Mon, Dec 2, 2013 at 3:28 PM, >>> Rainer Gerhards <[email protected]>wrote: >>> >>> > On Mon, Dec 2, 2013 at 1:39 PM, Chris Bartram <[email protected] >>> >>>> wrote: >>>> >>> > >>> >> Still looking for help on this. As I said I need >>> REGEX syntax (including >>> >> characters that might need escaping) and didn't see >>> anything helpful in the >>> >> online docs. >>> >> >>> >> >>> > Well, basically you need to know how to form your POSIX >>> ERE regexp. Once >>> > you have this string, you need to include it in a >>> proper constant. For >>> > example a backslash is escape character, so you need to >>> escape it by using >>> > two backslashes (that's the same in any programming and >>> config language, >>> > it's not rsyslog-specific...). >>> > >>> > Let me see if we can do a quick online tool for the >>> escaping... >>> > >>> >>> I have written a small escaper. It's available at: >>> >>> http://www.rsyslog.com/rainerscript-constant-string-escaper/ >>> >>> Not 100% perfect yet, but I think it escapes everything >>> correctly (but I >>> need to verify it against rsyslog code, not happen today). >>> If you have >>> problems, let me know. >>> >>> Rainer >>> >>> >>> > >>> > Rainer >>> > >>> > >>> >> Thanks, >>> >> Chris Bartram >>> >> >>> >> >>> >> "The purpose of life is not to be happy. It is to >>> be useful, to be >>> >> honorable, to be compassionate, to have it make >>> some difference that you >>> >> have lived and lived well". (Ralph Waldo Emerson) >>> >> >>> >> -------------------------------------------- >>> >> On Wed, 11/27/13, Chris Bartram <[email protected]> >>> wrote: >>> >> >>> >> Subject: [rsyslog] regex filter syntax for >>> v7 >>> >> To: "rsyslog-users" <[email protected]> >>> >> Date: Wednesday, November 27, 2013, 12:24 AM >>> >> >>> >> >>> >> Can someone provide me an example of a >>> working regex (has to >>> >> be regex) filter I can use in my v7 >>> rsyslog.conf on a RHEL5 >>> >> server to ignore/drop messages meeting a >>> specific >>> >> expression? >>> >> >>> >> Examples I've tried didn't work; and I see >>> notes in other >>> >> forums about needing to double-escape >>> characters in the >>> >> regex? >>> >> >>> >> **It would be extra helpful if the regex >>> example could use >>> >> perl-like syntax? something like >>> ^kernel\[\d+\] XYZ >>> >> >>> >> Thanks! >>> >> -Chris Bartram >>> >> >>> >> >>> >> "The purpose of life is not to be happy. It >>> is to be useful, >>> >> to be honorable, to be compassionate, to have >>> it make some >>> >> difference that you have lived and lived >>> well". (Ralph Waldo >>> >> Emerson) >>> >> >>> _______________________________________________ >>> >> rsyslog mailing list >>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> >> http://www.rsyslog.com/professional-services/ >>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >> NOTE WELL: This is a PUBLIC mailing list, >>> posts are ARCHIVED >>> >> by a myriad of sites beyond our control. >>> PLEASE UNSUBSCRIBE >>> >> and DO NOT POST if you DON'T LIKE THAT. >>> >> >>> >> _______________________________________________ >>> >> rsyslog mailing list >>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> >> http://www.rsyslog.com/professional-services/ >>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >> NOTE WELL: This is a PUBLIC mailing list, posts are >>> ARCHIVED by a myriad >>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and >>> DO NOT POST if you >>> >> DON'T LIKE THAT. >>> >> >>> > >>> > >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED >>> by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE >>> and DO NOT POST if you DON'T LIKE THAT. >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
