[rsyslog-notify] Forum Thread: Help with Regex parsing - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Fri Jan 30 00:33:29 CET 2015 

User: joelb 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25219#p25219

Message: 
----------
Hello,
I'm struggling to understand how to correctly use a template with regex to
parse an incoming message, I'm close, but must be missing something

Here's my template:
[code:3rscaxc1]$template wifidb_roam, "INSERT INTO Wifi_Data SET
date='%timereported:::date-mysql%',
client_mac='%msg:R,ERE,2,BLANK:(([0-9a-f]{2}:){5}[0-9a-f]{2})--end%',
ap_mac='%msg:R,ERE,3,BLANK:(([0-9a-f]{2}:){5}[0-9a-f]{2})--end%',
event_type='%msg:R,ERE,1,BLANK:(joins|leaves|roams)--end%',
wlan_name='%msg:R,ERE,1,BLANK:(SSID1|SSID2|SSID2|SSID3)--end%',
old_ap_mac='%msg:R,ERE,1,BLANK:(([0-9a-f]{2}:){5}[0-9a-f]{2})--end%'",SQL
[/code:3rscaxc1]
and here is how I'm using it:
[code:3rscaxc1]if $msg contains 'roams out' then {
                action(type="ommysql" server="localhost" db="MYSQLDB"
uid="MYSQLUSER" pwd="PASSWORD" template="wifidb_roam")[/code:3rscaxc1]

Here's an example of the data that I'm trying to parse:
[code:3rscaxc1]Jan 29 10:39:52 www.domain.com syslog:
eventd_to_syslog():AP[AP NAME
SW at 6d:a1:bc:15:a3:d0] radio [11g/n] detects
User[0a:1c:4a:7e:4c:ac] in WLAN[SSID1]
roams out to AP[AP Name 1 at 61:a1:b2:33:4d:5a]
[/code:3rscaxc1]

But here's what I'm getting in my Database:
[code:3rscaxc1]
| ID | date                         | client_mac | ap_mac | event_type |
wlan_name  | old_ap_mac        |
|  1 | 2015-01-29 16:40:17 | 65:            |             |
roams      | SSID1             | 66:55:44:33:22:11 |
|  2 | 2015-01-29 16:40:22 | 0d:            |             |
roams      | SSID1             | 11:22:33:44:55:66 |
[/code:3rscaxc1]
I'm somehow getting the full "old mac address" but the partial MAC address
showing only a part of the mac address is what I don't understand.

So something must be wrong with my regex:

[code:3rscaxc1](([0-9a-f]{2}:){5}[0-9a-f]{2})[/code:3rscaxc1]
when I tested it with other, non rsyslog.com websites it correctly matches
all 3 values in my example line. FWIW the rsyslog.com regex  tester also
seems to match my results. (I thought maybe it was a fluke)

Can someone help me understand what is wrong with my approach?

Thanks,
Joel

More information about the rsyslog-notify mailing list