Hi all I'm having a strange problem creating re_match() rule for the rsyslog-8.24.0-57.el7_9.1.x86_64
Syslog string: Dec 9 13:53:50 SIEM-OS-LOG-TEST sshd[1546]: debug3: mm_request_receive entering Condition: if re_match($msg, ' debug[0-9]') and not ($msg contains 'mm_audit_run_command') then stop The PROBLEM: When whitespace appears before the "debug[0-9]" the regex stops matching. I've used the online checker at https://www.rsyslog.com/regex/ and the '(sshd[[0-9]+]: debug[0-9])' expression is working but not in rsyslog.conf I've tried a dozen of regexp variants and googled for two days but no luck. Please help. Sergey _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
