
<div dir="ltr">Hi Evan,<div><br></div><div>I have tried both pcre and posix and neither seem to work.</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jan 15, 2019 at 4:08 PM Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

  
  <div bgcolor="#FFFFFF">

    <div class="gmail-m_5419114083870337225moz-cite-prefix">You have defined your regular expresion

      as "posix" which does not have the \d \s etc.</div>

    <div class="gmail-m_5419114083870337225moz-cite-prefix">If you change the type to "pcre" then

      it should work for you.</div>

    <div class="gmail-m_5419114083870337225moz-cite-prefix"><br>

    </div>

    <div class="gmail-m_5419114083870337225moz-cite-prefix"><br>

    </div>

    <div class="gmail-m_5419114083870337225moz-cite-prefix">On 1/15/19 2:01 PM, N. Max Pierson

      wrote:<br>

    </div>

    <blockquote type="cite">

      
      <div dir="ltr">

        <div dir="ltr">

          <div dir="ltr">Hi List,

            <div><br>

            </div>

            <div>I am using version 3.5 and it seems as though regex

              (posix or pcre) doesn't work completely. Take the example

              string below (which is the message part of the syslog). </div>

            <div><br>

            </div>

            <div>Jan 15 15:50:57 CST: %DAEMON-3-SYSTEM_MSG: NTP Receive

              dropping message: Received NTP control mode packet. Drop

              count:147972  - ntpd[15029]<br>

            </div>

            <div><br>

            </div>

            <div>I am trying to match the date at the beginning of the

              message and remove it. When I use \w, \s, \d, etc, they do

              not match anything. If I match on a character classes it

              works fine (ex [a-z]+ or [0-9]+).</div>

            <div><br>

            </div>

            <div>Here is my statement for the rewrite rule.</div>

            <div><br>

            </div>

            <div>rewrite r_nexus{ subst("^[a-z]+ [0-9]+

              [0-9]+:[0-9]+:[0-9]+ [a-z]+: ", "", value("MESSAGE"),

              type("posix"), flags("ignore-case"),

              condition(filter(f_nexus))); };<br>

            </div>

            <div><br>

            </div>

            <div>The above seems to get me what I want but are the

              character matches not supposed to work in syslog-ng

              version 3.5??</div>

            <div><br>

            </div>

            <div>Regards,</div>

            <div>Max</div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="gmail-m_5419114083870337225mimeAttachmentHeader"></fieldset>

    </blockquote>

    <br>

  </div>


______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote></div>