Hello! I did a few tries and it looks like the rsyslog regex test page is not really working.. I'd suggest you to follow this guide and try in rsyslog config instead: https://www.rsyslog.com/doc/master/configuration/property_replacer.html
It should be easy to setup one in a container or VM (or on your localhost) using a custom unix/udp/tcp socket bound to a specific ruleset which will write into file. Alternatively if you need more than just 1 field I'd suggest trying with `mmnormalize` module instead. Use `iptables`-type field which should be able to parse this kind of messages. Or maybe you can try `mmfields` to split by '\t' and then use the `field()` function to split by `=` delimiter. On Sun, 14 Feb 2021 at 14:44, Robert Crandall via rsyslog < rsyslog@lists.adiscon.com> wrote: > I'm running rsyslog 8.2012.0 for the following. > > The following regex and message works fine for all regex flavors on > regex101.com, but when using as an ERE template, the rsyslog regex test > page at https://www.rsyslog.com/regex/ won't accept what I've entered as a > valid regex and rsyslog fails as well. > > The regex I'm using is: > > AgentLogFile=([^\s]+)[\s] > > And the tab-delimited, tag/value message is: > > <13>Feb 13 21:43:17 wintest AgentDevice=WindowsLog AgentLogFile=System > PluginVersion=1.0 Source=Source Computer=wintest > OriginatingComputer=192.168.1.1 User= Domain= EventID=1234 EventIDCode=1234 > EventType=2 EventCategory=1 RecordNumber=12345 TimeGenerated=1613270597998 > TimeWritten=1613270597998 Level=WARNING Keywords=Warning Task=0 Opcode=Info > Message= > > No matter what variation I've tried, the regex checker web page an rsyslog > return a result of: > > **NO MATCH** > > Any help would be deeply appreciated > > rob > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Yury Bushmelev _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
