Mailing List Archive

ERE template help
I'm running rsyslog 8.2012.0 for the following.

The following regex and message works fine for all regex flavors on
regex101.com, but when using as an ERE template, the rsyslog regex test
page at https://www.rsyslog.com/regex/ won't accept what I've entered as a
valid regex and rsyslog fails as well.

The regex I'm using is:

AgentLogFile=([^\s]+)[\s]

And the tab-delimited, tag/value message is:

<13>Feb 13 21:43:17 wintest AgentDevice=WindowsLog AgentLogFile=System
PluginVersion=1.0 Source=Source Computer=wintest
OriginatingComputer=192.168.1.1 User= Domain= EventID=1234 EventIDCode=1234
EventType=2 EventCategory=1 RecordNumber=12345 TimeGenerated=1613270597998
TimeWritten=1613270597998 Level=WARNING Keywords=Warning Task=0 Opcode=Info
Message=

No matter what variation I've tried, the regex checker web page an rsyslog
return a result of:

**NO MATCH**

Any help would be deeply appreciated

rob
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
ERE template help [ In reply to ]
Not sure what happened on the copy/paste there, but the regex I'm using is
actually:

AgentLogFile=([^\s]+)\s

rob
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: ERE template help [ In reply to ]
Hello!

I did a few tries and it looks like the rsyslog regex test page is not
really working..
I'd suggest you to follow this guide and try in rsyslog config instead:
https://www.rsyslog.com/doc/master/configuration/property_replacer.html

It should be easy to setup one in a container or VM (or on your localhost)
using a custom unix/udp/tcp socket bound to a specific ruleset which will
write into file.

Alternatively if you need more than just 1 field I'd suggest trying with
`mmnormalize` module instead. Use `iptables`-type field which should be
able to parse this kind of messages. Or maybe you can try `mmfields` to
split by '\t' and then use the `field()` function to split by `=` delimiter.


On Sun, 14 Feb 2021 at 14:44, Robert Crandall via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> I'm running rsyslog 8.2012.0 for the following.
>
> The following regex and message works fine for all regex flavors on
> regex101.com, but when using as an ERE template, the rsyslog regex test
> page at https://www.rsyslog.com/regex/ won't accept what I've entered as a
> valid regex and rsyslog fails as well.
>
> The regex I'm using is:
>
> AgentLogFile=([^\s]+)[\s]
>
> And the tab-delimited, tag/value message is:
>
> <13>Feb 13 21:43:17 wintest AgentDevice=WindowsLog AgentLogFile=System
> PluginVersion=1.0 Source=Source Computer=wintest
> OriginatingComputer=192.168.1.1 User= Domain= EventID=1234 EventIDCode=1234
> EventType=2 EventCategory=1 RecordNumber=12345 TimeGenerated=1613270597998
> TimeWritten=1613270597998 Level=WARNING Keywords=Warning Task=0 Opcode=Info
> Message=
>
> No matter what variation I've tried, the regex checker web page an rsyslog
> return a result of:
>
> **NO MATCH**
>
> Any help would be deeply appreciated
>
> rob
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: ERE template help [ In reply to ]
Thanks for the confirmation and will look into what you've suggested.

On Sun, Feb 14, 2021 at 10:35 PM Yuri Bushmelev via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Hello!
>
> I did a few tries and it looks like the rsyslog regex test page is not
> really working..
> I'd suggest you to follow this guide and try in rsyslog config instead:
> https://www.rsyslog.com/doc/master/configuration/property_replacer.html
>
> It should be easy to setup one in a container or VM (or on your localhost)
> using a custom unix/udp/tcp socket bound to a specific ruleset which will
> write into file.
>
> Alternatively if you need more than just 1 field I'd suggest trying with
> `mmnormalize` module instead. Use `iptables`-type field which should be
> able to parse this kind of messages. Or maybe you can try `mmfields` to
> split by '\t' and then use the `field()` function to split by `=`
> delimiter.
>
>
> On Sun, 14 Feb 2021 at 14:44, Robert Crandall via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > I'm running rsyslog 8.2012.0 for the following.
> >
> > The following regex and message works fine for all regex flavors on
> > regex101.com, but when using as an ERE template, the rsyslog regex test
> > page at https://www.rsyslog.com/regex/ won't accept what I've entered
> as a
> > valid regex and rsyslog fails as well.
> >
> > The regex I'm using is:
> >
> > AgentLogFile=([^\s]+)[\s]
> >
> > And the tab-delimited, tag/value message is:
> >
> > <13>Feb 13 21:43:17 wintest AgentDevice=WindowsLog AgentLogFile=System
> > PluginVersion=1.0 Source=Source Computer=wintest
> > OriginatingComputer=192.168.1.1 User= Domain= EventID=1234
> EventIDCode=1234
> > EventType=2 EventCategory=1 RecordNumber=12345
> TimeGenerated=1613270597998
> > TimeWritten=1613270597998 Level=WARNING Keywords=Warning Task=0
> Opcode=Info
> > Message=
> >
> > No matter what variation I've tried, the regex checker web page an
> rsyslog
> > return a result of:
> >
> > **NO MATCH**
> >
> > Any help would be deeply appreciated
> >
> > rob
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
>
>
> --
> Yury Bushmelev
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.