[rsyslog-notify] Forum Thread: Re: Help with Regex parsing - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Sat Jan 31 00:10:07 CET 2015 

User: joelb 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25222#p25222

Message: 
----------
To somewhat answer my own question.

I had to change my base REGEX from

[code:2j4z48h1](([0-9a-f]{2}:){5}[0-9a-f]{2})[/code:2j4z48h1]
to

[code:2j4z48h1](([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})[/code:2j4z48h1]

I'm a complete regex amateur, but my guess is that rsyslog needs to match
the ENTIRE record/string you are trying to extract data from.(as separated
by regex pieces in (). This is in contrast to my very basic understanding
of how regex works.

Now when I use my new regex above in rsyslog.com/regex/ with this log line
sample:
[code:2j4z48h1]Jan 29 10:39:52 www.domain.com syslog:
eventd_to_syslog():AP[AP NAME
SW at 6d:a1:bc:15:a3:d0] radio [11g/n] detects
User[0a:1c:4a:7e:4c:ac] in
WLAN[WifiSSID] roams out to AP[AP Name
1 at 61:a1:b2:33:4d:5a][/code:2j4z48h1]

I now get this result:

[code:2j4z48h1]
 0: 6d:a1:bc:15:a3:d0] radio [11g/n]
detects User[0a:1c:4a:7e:4c:ac] in
WLAN[WifiSSID] roams out to AP[AP Name
1 at 61:a1:b2:33:4d:5a
1: 6d:a1:bc:15:a3:d0
2: a3:
3: ] radio [11g/n] detects User[
4: 0a:1c:4a:7e:4c:ac
5: 4c:
6: ] in WLAN[WifiSSID] roams out to AP[AP Name 1@
7: 61:a1:b2:33:4d:5a
8: 4d:
[/code:2j4z48h1]

Which allows me to select submatches 1 (for old_ap_mac), 4 (for
client_mac), and 7 (for ap_mac).

That makes my template much longer but here is what it looks like now:
[code:2j4z48h1]
$template wifidb_roam, "INSERT INTO Wifi_Data SET
date='%timereported:::date-mysql%',

client_mac='%msg:R,ERE,4,BLANK:(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})--end%',

ap_mac='%msg:R,ERE,7,BLANK:(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})--end%',
event_type='%msg:R,ERE,1,BLANK:(joins|leaves|roams)--end%',
wlan_name='%msg:R,ERE,1,BLANK:(SSID1|SSID2|SSID2|SSID3)--end%',

old_ap_mac='%msg:R,ERE,1,BLANK:(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})(.*)(([0-9a-f]{2}:){5}[0-9a-f]{2})--end%'",SQL
[/code:2j4z48h1]

In case anyone comes looking for something like this, the log data is
coming from my Ruckus Wireless Controller (called a "Zone Director").
Our idea is to grab the data from it, store it in a database, and then
produce a home-grown map showing the location of wireless clients.

-Joel

More information about the rsyslog-notify mailing list