Mailing List Archive

rsyslog.com regex checker/generator broken?
Hi there

Is it possible that the regex checker/generator on
https://www.rsyslog.com/regex/ is broken? I'm unfortunately not familiar
with POSIX regex and thus would have benefited from this to test my regex.
But the "magic" button does not really do anything except reloading the
page. Only when I encapsulate my regex with quotes " then the regex string
gets deleted (i.e. field is empty afterwards). That is all that is
happening regardless of what options I try. The same "nothing" happens in
Chrome, Firefox and Safari (each in their latest version) on a macOS
system. I'm not using any adblockers or so with Firefox, only a password
manager add-on. Chrome only has the pw manager and duckduckgo extension
installed (the latter is now disable for rsyslog.com) and again the pw
manager extension in Safari. Hope it is not the password manager that broke
this site for me but I sincerely doubt it.

As regex I tried several things like:
[[:digit:]]\{1,3\}
[[:digit:]]
[[:digit:]]\?
[[:digit:]]?
Feb
^Feb
.*

If the page is broken does anyone know of a page like regex101.com that
supports POSIX regex where I can test my regex?

Or as last resort does anyone have the patience to help me with this? I
want to extract an IP address from the MSG part to write that into a
MariaDB. The writing to the DB works fine and I can basically extract
fields from the MSG with: '%msg:F,32:10%'
But unfortunately not every syslog message contains the same amount of
data/fields and thus the field numbers are not the same in every message.
Therefore I need to extract the IP address (plus some additional data but
when the IP part works I think I can get the rest to work as well) from the
MSG using regex.
Is this the correct regex to match an ip address?
[[:digit:]]\{1,3\}\.[[:digit:]]\{1,3\}\.[[:digit:]]\{1,3\}\.[[:digit:]]\{1,3\}

Thank you very much for any help and
best regards,

Cyril Stoll
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog.com regex checker/generator broken? [ In reply to ]
Thanks for the hint, it appears that the regex checker was broken after
our last big server update.
It should be working again, can you please check?


Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: info@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error
please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
Weitergabe dieser E-Mail sind nicht gestattet.




> -----Original Message-----
> From: rsyslog [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of
Cyril
> Stoll via rsyslog
> Sent: Thursday, February 20, 2020 5:47 PM
> To: rsyslog@lists.adiscon.com
> Cc: cyril.stoll@uzh.ch
> Subject: [rsyslog] rsyslog.com regex checker/generator broken?
>
>
>
> Hi there
>
> Is it possible that the regex checker/generator on
> https://www.rsyslog.com/regex/ is broken? I'm unfortunately not familiar
> with POSIX regex and thus would have benefited from this to test my
regex.
> But the "magic" button does not really do anything except reloading the
> page. Only when I encapsulate my regex with quotes " then the regex
string
> gets deleted (i.e. field is empty afterwards). That is all that is
happening
> regardless of what options I try. The same "nothing" happens in Chrome,
> Firefox and Safari (each in their latest version) on a macOS system. I'm
not
> using any adblockers or so with Firefox, only a password manager add-on.
> Chrome only has the pw manager and duckduckgo extension installed (the
> latter is now disable for rsyslog.com) and again the pw manager
extension in
> Safari. Hope it is not the password manager that broke this site for me
but I
> sincerely doubt it.
>
> As regex I tried several things like:
> [[:digit:]]\{1,3\}
> [[:digit:]]
> [[:digit:]]\?
> [[:digit:]]?
> Feb
> ^Feb
> .*
>
> If the page is broken does anyone know of a page like regex101.com that
> supports POSIX regex where I can test my regex?
>
> Or as last resort does anyone have the patience to help me with this? I
want
> to extract an IP address from the MSG part to write that into a MariaDB.
The
> writing to the DB works fine and I can basically extract fields from the
MSG
> with: '%msg:F,32:10%'
> But unfortunately not every syslog message contains the same amount of
> data/fields and thus the field numbers are not the same in every
message.
> Therefore I need to extract the IP address (plus some additional data
but
> when the IP part works I think I can get the rest to work as well) from
the
> MSG using regex.
> Is this the correct regex to match an ip address?
>
[[:digit:]]\{1,3\}\.[[:digit:]]\{1,3\}\.[[:digit:]]\{1,3\}\.[[:digit:]]\{1
,3\}
>
> Thank you very much for any help and
> best regards,
>
> Cyril Stoll
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog.com regex checker/generator broken? [ In reply to ]
Hi Andre

Sorry for my late response. I had digest-mails activated and received the
last on the 21. of february just a couple hours before your reply. The next
one came in today, so I did not see your answer until today.
Also I had "avoid duplicate copies of messages" activated which is probably
why I never received a direct response to my question. To be sure I'm not
messing up again I allowed myself to send this mail bcc to you as well.

Now to the question. The regex checker is doing more than before but does
not seem fully fixed. I attached a screenshot to this mail to show the
output of a regex that does actually work. In other words I did get that to
work so the correct fields get written to the database. But the
rsyslog.com/regex site does not show to correct output.

The original log message is quite a bit longer but to simplify things I
shortened that down to the following message of which I'm only interested
in the IP address but without the string "ip=".

time=11:13:32 devname="somedevice" devid="ABC123XYZ" dstip=10.11.12.13

The working template I'm using now looks like follows. Again simplified but
might help somebody else so here it is:

template(name="customSqlFormat" type="string" option.sql="on"
string="insert into tablename (dstip) values
('%msg:R,ERE,2,ZERO:(dstip=)([1-2]?[0-9]{1,2}\\.[1-2]?[0-9]{1,2}\\.[1-2]?[0-9]{1,2}\\.[1-2]?[0-9]{1,2})--end%')")

I'm a bit pressed for time so this mail might be missing some information.
Just write me if you need more details.

Best regards,
Cyril Stoll

(See attached file: Screenshot_Regex-Checker.png)