> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Wednesday, August 29, 2012 11:06 PM > To: rsyslog-users > Subject: Re: [rsyslog] Old School Question > > On Wed, 29 Aug 2012, Jacob Steinberger wrote: > > > On 8/28/2012 4:58 PM, [email protected] wrote: > >> nobody has bothered to write a syslog-ng fixup parser yet > >> > >> thinking about it, it's not that hard to do > > > > Trying to do it within the bounds of the RH 3.22.1 release ... I can > easily > > come up with a template: > > > > $template localpri,"%TIMESTAMP% %rawmsg:R,ERE,1,DFLT:local/([^ ]+)-- > end% > > %rawmsg:R,ERE,1,DFLT:local/[^ ]+ [^ ]+ (.*)--end%\n" > > > > Template works great for events with that format. The trickier thing > for me > > at least is getting a working filter. I've tried ... > > > > :rawmsg,ereregex,"local/[^ ]+ err|info|debug|notice" > > :rawmsg,ereregex,"local/[^ ]+ (err|info|debug|notice)" > > :rawmsg,ereregex,"local/[^ ]+ err" #(and each individual priority) > > :rawmsg,ereregex,"err|info|debug|notice" > > :rawmsg,ereregex,"(err|info|debug|notice)" > > :rawmsg,ereregex," (err|info|debug|notice) " > > > > All of them end up matching all rows, regardless if the words exist > or not. > > > > Is/was ereregex not fully supported in this old version or am I just > flubbing > > the syntax?
I don't remember, but I guess the old versions does not support ERE regexes. Check the ChangeLog when it was introduced. Also, check if the doc set for that version (it is in the same tarball) mentions it. As a general advise, it is useful to look at, and not throw away, syslog.* error message, where rsyslog complaints about what bugs it. Again, the old version may not be good at this... Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
