Below are a couple sanitized examples of the debug format. So I want to drop all messages where programname="kernel" and msg regex "^ type=\d+ audit\(.*\)" (type= values vary)
What's the proper R7 syntax for that (including what needs to be escaped)? *I have some other similar filters I want to implement so REALLY want to get the regex syntax down. Thanks. -Chris Bartram Debug line with all properties: FROMHOST: <snip>, PRI: 5, syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: '-', MSGID: '-', TIMESTAMP: 'Dec 3 17:18:38', STRUCTURED-DATA: '-', msg: ' type=1302 audit(1386109118.424:31333674): item=2 name="/usr/xyz" inode=138597 dev=fd:06 mode=0100640 ouid=000 ogid=000 rdev=00:00' escaped msg: ' type=1302 audit(1386109118.424:31333674): item=2 name="/usr/xyz" inode=138597 dev=fd:06 mode=0100640 ouid=000 ogid=000 rdev=00:00' inputname: imudp rawmsg: '<5>Dec 3 17:18:38 host kernel: type=1302 audit(1386109118.424:31333674): item=2 name="/usr/xyz " inode=138597 dev=fd:06 mode=0100640 ouid=000 ogid=000 rdev=00:00' Debug line with all properties: FROMHOST: <snip>, PRI: 5, syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: '-', MSGID: '-', TIMESTAMP: 'Dec 3 17:18:38', STRUCTURED-DATA: '-', msg: ' type=1302 audit(1386109118.424:31333674): item=3 name="/usr/xyz/agent/agent_inst/sysman/emd/agntstmp.txt.bak" inode=138597 dev=fd:06 mode=0100640 ouid=000 ogid=000 rdev=00:00' escaped msg: ' type=1302 audit(1386109118.424:31333674): item=3 name="/usr/xyz" inode=138597 dev=fd:06 mode=0100640 ouid=000 ogid=000 rdev=00:00' inputname: imudp rawmsg: '<5>Dec 3 17:18:38 host kernel: type=1302 audit(1386109118.424:31333674): item=3 name="/usr/xyz " inode=138597 dev=fd:06 mode=0100640 ouid=000 ogid=000 rdev=00:00' "The purpose of life is not to be happy. It is to be useful, to be honorable, to be compassionate, to have it make some difference that you have lived and lived well". (Ralph Waldo Emerson) -------------------------------------------- On Mon, 12/2/13, David Lang <[email protected]> wrote: Subject: Re: [rsyslog] regex filter syntax for v7 To: "rsyslog-users" <[email protected]> Date: Monday, December 2, 2013, 11:57 PM as I said earlier, I think this is because kernel: is the programname, it's not part of the message, so when you look for it in msg, you aren't ever going to find it. output some of the logs with the format RSYSLOG_DebugFormat and look at what gets put into each of the variables, it will help a lot when you run into issues like this. David Lang On Mon, 2 Dec 2013, Chris Bartram wrote: > Tried the script with my example and it didn't indicate I needed to escape anything; "^kernel: type=[0-9]+ audit" > > Yet when I tried the following in my .conf file it didn't catch (suppress) any records. > > :msg, regex, "^kernel: type=[0-9]+ audit" stop > > -Chris Bartram > > "The purpose of life is not to be happy. It is to be useful, to be honorable, to be compassionate, to have it make some difference that you have lived and lived well". (Ralph Waldo Emerson) > > -------------------------------------------- > On Mon, 12/2/13, Rainer Gerhards <[email protected]> wrote: > > Subject: Re: [rsyslog] regex filter syntax for v7 > To: "rsyslog-users" <[email protected]> > Date: Monday, December 2, 2013, 11:04 AM > > On Mon, Dec 2, 2013 at 3:28 PM, > Rainer Gerhards <[email protected]>wrote: > > > On Mon, Dec 2, 2013 at 1:39 PM, Chris Bartram <[email protected]>wrote: > > > >> Still looking for help on this. As I said I need > REGEX syntax (including > >> characters that might need escaping) and didn't see > anything helpful in the > >> online docs. > >> > >> > > Well, basically you need to know how to form your POSIX > ERE regexp. Once > > you have this string, you need to include it in a > proper constant. For > > example a backslash is escape character, so you need to > escape it by using > > two backslashes (that's the same in any programming and > config language, > > it's not rsyslog-specific...). > > > > Let me see if we can do a quick online tool for the > escaping... > > > > I have written a small escaper. It's available at: > > http://www.rsyslog.com/rainerscript-constant-string-escaper/ > > Not 100% perfect yet, but I think it escapes everything > correctly (but I > need to verify it against rsyslog code, not happen today). > If you have > problems, let me know. > > Rainer > > > > > > Rainer > > > > > >> Thanks, > >> Chris Bartram > >> > >> > >> "The purpose of life is not to be happy. It is to > be useful, to be > >> honorable, to be compassionate, to have it make > some difference that you > >> have lived and lived well". (Ralph Waldo Emerson) > >> > >> -------------------------------------------- > >> On Wed, 11/27/13, Chris Bartram <[email protected]> > wrote: > >> > >> Subject: [rsyslog] regex filter syntax for > v7 > >> To: "rsyslog-users" <[email protected]> > >> Date: Wednesday, November 27, 2013, 12:24 AM > >> > >> > >> Can someone provide me an example of a > working regex (has to > >> be regex) filter I can use in my v7 > rsyslog.conf on a RHEL5 > >> server to ignore/drop messages meeting a > specific > >> expression? > >> > >> Examples I've tried didn't work; and I see > notes in other > >> forums about needing to double-escape > characters in the > >> regex? > >> > >> **It would be extra helpful if the regex > example could use > >> perl-like syntax? something like > ^kernel\[\d+\] XYZ > >> > >> Thanks! > >> -Chris Bartram > >> > >> > >> "The purpose of life is not to be happy. It > is to be useful, > >> to be honorable, to be compassionate, to have > it make some > >> difference that you have lived and lived > well". (Ralph Waldo > >> Emerson) > >> > _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, > posts are ARCHIVED > >> by a myriad of sites beyond our control. > PLEASE UNSUBSCRIBE > >> and DO NOT POST if you DON'T LIKE THAT. > >> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are > ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and > DO NOT POST if you > >> DON'T LIKE THAT. > >> > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE > and DO NOT POST if you DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > -----Inline Attachment Follows----- _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
