<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">You have defined your regular expresion
as "posix" which does not have the \d \s etc.</div>
<div class="moz-cite-prefix">If you change the type to "pcre" then
it should work for you.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 1/15/19 2:01 PM, N. Max Pierson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAD69L83S+3eKsQYzfYfJGTqCY_z5P-wfQ5h=vVBW98M7cVJaKg@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi List,
<div><br>
</div>
<div>I am using version 3.5 and it seems as though regex
(posix or pcre) doesn't work completely. Take the example
string below (which is the message part of the syslog). </div>
<div><br>
</div>
<div>Jan 15 15:50:57 CST: %DAEMON-3-SYSTEM_MSG: NTP Receive
dropping message: Received NTP control mode packet. Drop
count:147972 - ntpd[15029]<br>
</div>
<div><br>
</div>
<div>I am trying to match the date at the beginning of the
message and remove it. When I use \w, \s, \d, etc, they do
not match anything. If I match on a character classes it
works fine (ex [a-z]+ or [0-9]+).</div>
<div><br>
</div>
<div>Here is my statement for the rewrite rule.</div>
<div><br>
</div>
<div>rewrite r_nexus{ subst("^[a-z]+ [0-9]+
[0-9]+:[0-9]+:[0-9]+ [a-z]+: ", "", value("MESSAGE"),
type("posix"), flags("ignore-case"),
condition(filter(f_nexus))); };<br>
</div>
<div><br>
</div>
<div>The above seems to get me what I want but are the
character matches not supposed to work in syslog-ng
version 3.5??</div>
<div><br>
</div>
<div>Regards,</div>
<div>Max</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
<br>
</body>
</html>