On Wed, 29 Aug 2012, Jacob Steinberger wrote:
On 8/28/2012 4:58 PM, [email protected] wrote:
nobody has bothered to write a syslog-ng fixup parser yet
thinking about it, it's not that hard to do
Trying to do it within the bounds of the RH 3.22.1 release ... I can easily
come up with a template:
$template localpri,"%TIMESTAMP% %rawmsg:R,ERE,1,DFLT:local/([^ ]+)--end%
%rawmsg:R,ERE,1,DFLT:local/[^ ]+ [^ ]+ (.*)--end%\n"
Template works great for events with that format. The trickier thing for me
at least is getting a working filter. I've tried ...
:rawmsg,ereregex,"local/[^ ]+ err|info|debug|notice"
:rawmsg,ereregex,"local/[^ ]+ (err|info|debug|notice)"
:rawmsg,ereregex,"local/[^ ]+ err" #(and each individual priority)
:rawmsg,ereregex,"err|info|debug|notice"
:rawmsg,ereregex,"(err|info|debug|notice)"
:rawmsg,ereregex," (err|info|debug|notice) "
All of them end up matching all rows, regardless if the words exist or not.
Is/was ereregex not fully supported in this old version or am I just flubbing
the syntax?
did you test these with the rsyslog regex tester?
www.rsyslog.com/regex
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
