On 2015-09-02 02:45 PM, Brandon Phelps wrote:
James,
Below is a sample log. I should note that I can’t filter on the
message itself because Cisco routers are fairly stupid and don’t send
any identifying information with the log message itself. Everything
after the second timestamp is different for each “type" of message
they send, and each type has a unique identifier like “%LINK-3-UPDOWN”
etc. The problem with that is that there are thousands of different
event types, so having to filter for each one individually isn’t any
better than listing every possible IP address in my rsyslog.d file.
Sep 2 16:41:55 192.168.98.33 236058: 236055: Sep 2 16:41:54.286
DEST: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to down
On Sep 2, 2015, at 4:41 PM, James Lay <[email protected]>
wrote:
On 2015-09-02 01:15 PM, Brandon Phelps wrote:
Hello All,
I am trying to create a filter using fromhost-ip using the regex
matching method. I’m having some trouble getting anchors (^ and $)
to
work. I have around 1000 devices sending syslog data to the server
and out of those 1000 devices, a certain subset of them should go to
their own log file (a single log file for those that match, not
individual files). I know which device should go to which file based
on the IP address of the device. If the first two octets of the
fromhost-ip are 192.168, the 3rd octet is anything, and the 4th octet
is 1 OR 33 OR 65, etc then I’d like to handle the log differently.
I tried using the following:
:fromhost-ip, regex, ‘^192\.168\.[0-9]{1,3}\.(1|33|64)$’
-/var/log/router-logs.log
& ~
However this doesn’t seem to work at all. I can get things working
without using anchors however if I do that, I would also match
192.168.x.103 instead of just 192.168.x.1, etc.
Any ideas what I’m doing wrong?
Thanks in advance,
Brandon
Can you post a sanitized log entry on what you're trying to match?
james
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
Personally I would filter on:
LINK-3-UPDOWN
Also, your "$" is telling rsyslog that either 1, 33, or 64 is the end of
the entire LINE, which in the above case is actually "down". You can
also try:
:fromhost-ip, regex,
".*192\.168\.[0-9]{1,3}\.(1|33|64).*LINK-3-UPDOWN.*"
-/var/log/router-logs.log
Hope that helps.
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
