Thanks for the quick replies! I think I am missing something. since I’m using a property-based filter, shouldn’t “:fromhost-ip, regex, ‘blah’” ONLY compare the regular expression I defined to the “fromhost-ip” property? And so shouldn’t $ match the end of the IP address instead of the end of “:msg”?
Regarding your suggestion, I can’t feasibility match .*<ip address regex>.* because the syslog message may be from a device that isn’t in scope, but the message itself may contain the IP of an in-scope device. I also can’t use the LINK-3-UPDOWN because Cisco has thousands of different identifiers (a unique identifier exists for each type of syslog message), and I want to capture *any* message, as long as the fromhost-ip matches the regex I devised earlier. Regards, Brandon > On Sep 2, 2015, at 5:32 PM, James Lay <[email protected]> wrote: > > On 2015-09-02 02:45 PM, Brandon Phelps wrote: >> James, >> Below is a sample log. I should note that I can’t filter on the >> message itself because Cisco routers are fairly stupid and don’t send >> any identifying information with the log message itself. Everything >> after the second timestamp is different for each “type" of message >> they send, and each type has a unique identifier like “%LINK-3-UPDOWN” >> etc. The problem with that is that there are thousands of different >> event types, so having to filter for each one individually isn’t any >> better than listing every possible IP address in my rsyslog.d file. >> Sep 2 16:41:55 192.168.98.33 236058: 236055: Sep 2 16:41:54.286 >> DEST: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to down >>> On Sep 2, 2015, at 4:41 PM, James Lay <[email protected]> wrote: >>> On 2015-09-02 01:15 PM, Brandon Phelps wrote: >>>> Hello All, >>>> I am trying to create a filter using fromhost-ip using the regex >>>> matching method. I’m having some trouble getting anchors (^ and $) to >>>> work. I have around 1000 devices sending syslog data to the server >>>> and out of those 1000 devices, a certain subset of them should go to >>>> their own log file (a single log file for those that match, not >>>> individual files). I know which device should go to which file based >>>> on the IP address of the device. If the first two octets of the >>>> fromhost-ip are 192.168, the 3rd octet is anything, and the 4th octet >>>> is 1 OR 33 OR 65, etc then I’d like to handle the log differently. >>>> I tried using the following: >>>> :fromhost-ip, regex, ‘^192\.168\.[0-9]{1,3}\.(1|33|64)$’ >>>> -/var/log/router-logs.log >>>> & ~ >>>> However this doesn’t seem to work at all. I can get things working >>>> without using anchors however if I do that, I would also match >>>> 192.168.x.103 instead of just 192.168.x.1, etc. >>>> Any ideas what I’m doing wrong? >>>> Thanks in advance, >>>> Brandon >>> Can you post a sanitized log entry on what you're trying to match? >>> james >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >> if you DON'T LIKE THAT. > > Personally I would filter on: > > LINK-3-UPDOWN > > Also, your "$" is telling rsyslog that either 1, 33, or 64 is the end of the > entire LINE, which in the above case is actually "down". You can also try: > > :fromhost-ip, regex, ".*192\.168\.[0-9]{1,3}\.(1|33|64).*LINK-3-UPDOWN.*" > -/var/log/router-logs.log > > Hope that helps. > > James > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
