Hi all
I'm having a strange problem creating re_match() rule for the
rsyslog-8.24.0-57.el7_9.1.x86_64
Syslog string:
Dec 9 13:53:50 SIEM-OS-LOG-TEST sshd[1546]: debug3: mm_request_receive
entering
Condition:
if re_match($msg, ' debug[0-9]') and not ($msg contains
'mm_audit_run_command') then stop
The PROBLEM:
When whitespace appears before the "debug[0-9]" the regex stops matching.
I've used the online checker at https://www.rsyslog.com/regex/
and the '(sshd[[0-9]+]: debug[0-9])' expression is working but not in
rsyslog.conf
I've tried a dozen of regexp variants and googled for two days but no luck.
Please help.
Sergey
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I'm having a strange problem creating re_match() rule for the
rsyslog-8.24.0-57.el7_9.1.x86_64
Syslog string:
Dec 9 13:53:50 SIEM-OS-LOG-TEST sshd[1546]: debug3: mm_request_receive
entering
Condition:
if re_match($msg, ' debug[0-9]') and not ($msg contains
'mm_audit_run_command') then stop
The PROBLEM:
When whitespace appears before the "debug[0-9]" the regex stops matching.
I've used the online checker at https://www.rsyslog.com/regex/
and the '(sshd[[0-9]+]: debug[0-9])' expression is working but not in
rsyslog.conf
I've tried a dozen of regexp variants and googled for two days but no luck.
Please help.
Sergey
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.