Hi Max!

The whitespace rule in the timestamp field comes from the old BSD syslog format, it is described in the RFC too:
https://tools.ietf.org/html/rfc3164#section-4.1.2

"The TIMESTAMP field is the local time and is in the format of "Mmm dd hh:mm:ss" "
" If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug  7", with two spaces between the "g" and the "7".

Regards,
Gabor

On Fri, Feb 8, 2019 at 5:33 PM N. Max Pierson <nmaxpierson@gmail.com> wrote:
Hi Even,

Yes I am using single quotes on this pattern. I added \s+ and that seems to resolve my issue. Looks like if it's a date in the 1-9 range it uses 2 spaces instead of one even though it doesn't seem to display it when I match on just a single \s. Strange but I think I have what I need so that this regex doesn't break when the days change from single days to double digit days.

Thanks!

Regards,
Max

On Fri, Feb 8, 2019 at 10:24 AM Evan Rempel <erempel@uvic.ca> wrote:
When using regular expressions that include the \ character (and perhaps others) they need to be in single quotes, not double quotes.

Also, the dates of the form  Feb 8 10:11:54" often have a leading space on the day, so that your regex really needs to be '^\w+\s+\d+' to match both
Feb  9 10:11:54
Feb 19 10:11:54

Not sure if that was your case, but it is a safer regex to cover such cases.

I cant speak to why the space gets eaten in your '8 09:55:54 CST: ' example.

Evan.

On 2/8/19 8:18 AM, N. Max Pierson wrote:
Hi List,

I am having some weird issues with rewrite regex that I cannot explain. I am simply trying to filter out the first part of the message which has the date in this format.

Feb 8 09:13:32 CST:  (there is one space at the end)

 When I use the following syntax, it doesn't match as expected.

^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s

I know this is the correct pattern because it works just fine on www.regexpal.com. I did some further testing and I have narrowed it down to the below ...

^\w+
8 09:55:54 CST:  (this seemed to also remove the space behind the month)

^\w+\s
8 09:59:37 CST:  (notice this is the exact same as the above without the beginning space)

^\w+\s\d+
Feb 8 10:07:04 CST:  (doesn't match anything as though the space between Feb and 8 isn't there)

^\w+\d+
Feb 8 10:11:54 CST:  (again doesn't match anything as though there is a space between Feb and 8)

So it seems to be something either with \w word class or the + quantifier and it somehow eats the space behind it possibly?? I am running 3.19.1 on Centos 7.

Can anyone test this to confirm it isn't just local to my install for whatever reason?

Regards,
Max


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq