Martin Holste <mcholste@gmail.com> writes:
#4w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed state to down #1y46w: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with S-COR-02 GigabitEthernet2/15 (40). [...] #Feb 6 16:43:32.219: %LINK-3-UPDOWN: Interface FastEthernet2/0/42, changed state to up [...] # Others where MSGONLY starts with PROGRAM [...] This works, but is there a better way?
I haven't reviewed the regexps yet, but looking at the format... wouldn't it make more sense to implement a new, hand-coded parser that can catch these? So, we'd end up with something like: source s_cisco { udp(... flags(no-parse)); }; parser p_cisco { cisco(); }; ... log { source(s_cisco); parser(p_cisco); destination(d_file); }; The parser would first check if the line starts with a number, and if it does, it parses a relative date (or whatever that 4w4d things are), followed by a program name (I assume), and a message. If it doesn't start with a number, it would try to extract a date, followed by a program and a message. If it fails, then it falls back to $program: $message. That should catch all of the above, and can be coded without regexpes, so its speed and CPU load would be much better. The downside is that this way you can't mix cisco messages with others. However, if you do need to mix, you could filter by source IP, which is still faster than a regexp. -- |8]