[rsyslog] Help with Regex

David Lang david at lang.hm
Fri Jan 6 01:31:38 CET 2017


I was referring to these quotes.

>> "Jan 5 05:02:42 192.168.10.10-1 TRAMPGR[234234]" traputil.c(534) 34534535
>> %MSG%"

David Lang

On Thu, 5 Jan 2017, Matt MacDonald wrote:

> Date: Thu, 05 Jan 2017 19:25:48 -0500
> From: Matt MacDonald <macdonald.matthew at gmail.com>
> To: David Lang <david at lang.hm>,
>     Matt MacDonald via rsyslog <rsyslog at lists.adiscon.com>
> Subject: Re: [rsyslog] Help with Regex
> 
> Thanks. I'll give that a shot. I was under the impression that the quotes were a delimiter for the Regex. Should I leave them out?
>
>   Original Message  
> From: David Lang
> Sent: Thursday, January 5, 2017 7:19 PM
> To: Matt MacDonald via rsyslog
> Cc: Matt MacDonald
> Subject: Re: [rsyslog] Help with Regex
>
> On Thu, 5 Jan 2017, Matt MacDonald via rsyslog wrote:
>
>> I am trying to redirect these messages to a different host on the network
>> but I need to change the hostname from above to their hostname. The
>> messages arrive looking like:
>>
>> "Jan 5 05:02:42 192.168.10.10-1 TRAMPGR[234234]" traputil.c(534) 34534535
>> %MSG%"
>>
>> I would like to change 192.168.10.10-1 to it's DNS name.
>>
>> I have tried:
>>
>> template(name="StupidHell" type="string"
>> string="<%PRI%>%TIMESTAMP::date=rfc3339%
>> %fromhost% %syslogtag:1:32%%msg::sp-if-no-1st-sp%%msg%")
>>
>> :hostname, regex "([0-9]{1,3}\.){3}[0-9]{1,3}\-1" { action(type="omfwd"
>> Target="
>> xxx.xxx.xxx.xxx" Template="StupidHell" Port="514" Protocol="UDP") }
>>
>> this doesn't seem to work since 1) It seems to match everything and 2) it
>> doesn't add the %hromhost% portion.
>>
>> Any suggestions?
>
> The first thing to do when you don't get the results you expect from a template
> or a test is to check what the actual variable contents are.
>
> log with the template RSYSLOG_DebugFormat and it will show you exactly what is
> what.
>
> Are you sure the message arriving has the quotes in it? that isn't a legitimate
> syslog format, and if the quotes are there, all sorts of things will be wrong
> with the resulting variable contents.
>
> David Lang
>


More information about the rsyslog mailing list