[syslog-ng] Regex Irregularities

Evan Rempel erempel at uvic.ca
Fri Feb 8 16:24:43 UTC 2019

When using regular expressions that include the \ character (and perhaps others) they need to be in single quotes, not double quotes.

Also, the dates of the form  Feb 8 10:11:54" often have a leading space on the day, so that your regex really needs to be '^\w+\s+\d+' to match both
Feb  9 10:11:54
Feb 19 10:11:54

Not sure if that was your case, but it is a safer regex to cover such cases.

I cant speak to why the space gets eaten in your '8 09:55:54 CST: ' example.


On 2/8/19 8:18 AM, N. Max Pierson wrote:
> Hi List,
> I am having some weird issues with rewrite regex that I cannot explain. I am simply trying to filter out the first part of the message which has the date in this format.
> Feb 8 09:13:32 CST:  (there is one space at the end)
>  When I use the following syntax, it doesn't match as expected.
> ^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s
> I know this is the correct pattern because it works just fine on www.regexpal.com <http://www.regexpal.com>. I did some further testing and I have narrowed it down to the below ...
> ^\w+
> 8 09:55:54 CST:  (this seemed to also remove the space behind the month)
> ^\w+\s
> 8 09:59:37 CST:  (notice this is the exact same as the above without the beginning space)
> ^\w+\s\d+
> Feb 8 10:07:04 CST:  (doesn't match anything as though the space between Feb and 8 isn't there)
> ^\w+\d+
> Feb 8 10:11:54 CST:  (again doesn't match anything as though there is a space between Feb and 8)
> So it seems to be something either with \w word class or the + quantifier and it somehow eats the space behind it possibly?? I am running 3.19.1 on Centos 7.
> Can anyone test this to confirm it isn't just local to my install for whatever reason?
> Regards,
> Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190208/42a83216/attachment.html>

More information about the syslog-ng mailing list