[rsyslog] Help with Regex

Matt MacDonald macdonald.matthew at gmail.com
Fri Jan 6 01:25:48 CET 2017


Thanks. I'll give that a shot. I‎ was under the impression that the quotes were a delimiter for the Regex. Should I leave them out?

  Original Message  
From: David Lang
Sent: Thursday, January 5, 2017 7:19 PM
To: Matt MacDonald via rsyslog
Cc: Matt MacDonald
Subject: Re: [rsyslog] Help with Regex

On Thu, 5 Jan 2017, Matt MacDonald via rsyslog wrote:

> I am trying to redirect these messages to a different host on the network
> but I need to change the hostname from above to their hostname. The
> messages arrive looking like:
>
> "Jan 5 05:02:42 192.168.10.10-1 TRAMPGR[234234]" traputil.c(534) 34534535
> %MSG%"
>
> I would like to change 192.168.10.10-1 to it's DNS name.
>
> I have tried:
>
> template(name="StupidHell" type="string"
> string="<%PRI%>%TIMESTAMP::date=rfc3339%
> %fromhost% %syslogtag:1:32%%msg::sp-if-no-1st-sp%%msg%")
>
> :hostname, regex "([0-9]{1,3}\.){3}[0-9]{1,3}\-1" { action(type="omfwd"
> Target="
> xxx.xxx.xxx.xxx" Template="StupidHell" Port="514" Protocol="UDP") }
>
> this doesn't seem to work since 1) It seems to match everything and 2) it
> doesn't add the %hromhost% portion.
>
> Any suggestions?

The first thing to do when you don't get the results you expect from a template 
or a test is to check what the actual variable contents are.

log with the template RSYSLOG_DebugFormat and it will show you exactly what is 
what.

Are you sure the message arriving has the quotes in it? that isn't a legitimate 
syslog format, and if the quotes are there, all sorts of things will be wrong 
with the resulting variable contents.

David Lang


More information about the rsyslog mailing list