James, Below is a sample log. I should note that I can’t filter on the message itself because Cisco routers are fairly stupid and don’t send any identifying information with the log message itself. Everything after the second timestamp is different for each “type" of message they send, and each type has a unique identifier like “%LINK-3-UPDOWN” etc. The problem with that is that there are thousands of different event types, so having to filter for each one individually isn’t any better than listing every possible IP address in my rsyslog.d file.
Sep 2 16:41:55 192.168.98.33 236058: 236055: Sep 2 16:41:54.286 DEST: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to down > On Sep 2, 2015, at 4:41 PM, James Lay <[email protected]> wrote: > > On 2015-09-02 01:15 PM, Brandon Phelps wrote: >> Hello All, >> I am trying to create a filter using fromhost-ip using the regex >> matching method. I’m having some trouble getting anchors (^ and $) to >> work. I have around 1000 devices sending syslog data to the server >> and out of those 1000 devices, a certain subset of them should go to >> their own log file (a single log file for those that match, not >> individual files). I know which device should go to which file based >> on the IP address of the device. If the first two octets of the >> fromhost-ip are 192.168, the 3rd octet is anything, and the 4th octet >> is 1 OR 33 OR 65, etc then I’d like to handle the log differently. >> I tried using the following: >> :fromhost-ip, regex, ‘^192\.168\.[0-9]{1,3}\.(1|33|64)$’ >> -/var/log/router-logs.log >> & ~ >> However this doesn’t seem to work at all. I can get things working >> without using anchors however if I do that, I would also match >> 192.168.x.103 instead of just 192.168.x.1, etc. >> Any ideas what I’m doing wrong? >> Thanks in advance, >> Brandon > > Can you post a sanitized log entry on what you're trying to match? > > james > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
