[rsyslog-notify] Forum Thread: Send single database to its own file - re_extract - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Fri Feb 5 12:23:35 CET 2016 

User: rwidmer 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26326#p26326

Message: 
----------
My goals are to send most postgresql logs to one file, and logs for the
'sessions' database to another.  Also send FATAL: messages to another
server.

I have the following configuration in a file  /etc/rsyslog.d/pgsql:

[code:2k9a0s3o]local0.* {
    if( "sessions" == re_extract( $msg,
"[?[a-zA-Z0-9]+]?@([?[a-zA-Z0-9]+]?)", 0, 1
) ) then {
        action( type="omfile" file="/var/log/pgsql/sessions" )
     }

    else {
        action( type="omfile" file="/var/log/pgsql/notsessions" )
    }

    if re_match( $msg, "FATAL:" ) then {
        action( type="omfwd" target="192.168.2.10"
protocol="udp" port="514" )
    }
}[/code:2k9a0s3o]
Postgres is sending log data to syslog via LOCAL0.  Selecting and sending
FATAL: messages to the remote server is working, but all messages are sent
to the notsessions file, and nothing is sent to the sessions file.

A typical log line looks like:

Feb  5 10:25:08 odcdb postgres[16898]: [4-1] [16898-2] postgres at sessions
LOG:  connection authorized: user=postgres database=sessions

I am trying to extract the "postgres at sessions" part with the following
regex:

"[?[a-zA-Z0-9]+]?@([?[a-zA-Z0-9]+]?)"

The [?  and ]? terms are there because sometimes the user at database value is
"[unknown]@[unknown]"

<!-- m --><a class="postlink"
href="http://www.rsyslog.com/regex/">http://www.rsyslog.com/regex/</a><!--
m -->  says:

[code:2k9a0s3o]
rsyslog property 	msg
Regular Expression
	[?[a-zA-Z0-9]+]?@([?[a-zA-Z0-9]+]?)
Submatch to Use 	1
Nomatch Mode 	DFLT (legacy default)
Sample Log Line  Feb  5 10:25:08 odcdb postgres[16898]:
[4-1] [16898-2] postgres at sessions LOG:  connection
authorized: user=postgres database=sessions

The output is: sessions

A string of size 17 was found in match 1. You requested submatch 1 from
the returned match.

Full set of regular expression submatches:
0: postgres at sessions
1: sessions
[/code:2k9a0s3o]

I suspect I am doing something wrong with re_extract, but I don't see what.
 I have tried 1, 1; 1, 0; and 0, 1 for the last two parameters since I am
not sure exactly what they do...  None of them worked.

Suggestions on how to achieve my goal better are welcome!

Thanks in advance.

More information about the rsyslog-notify mailing list