[syslog-ng] Rewrite regex not working entirely

Szakacs, Attila attila.szakacs at balabit.com
Wed Jan 16 11:41:03 UTC 2019 

Hi Max,

I tried "\w\d" , etc... in "pcre" type subst rewrite rule on 3.19.
My config:

@version: 3.19
@include "scl.conf"

source s_udp5001 {
  udp(
    port(5001)
    keep-hostname(yes)
    flags(no-parse)
  );
};

destination d_test {
  file(
    "/tmp/test.log"
  );
};

rewrite r_chars {
  subst(
    "^[a-z]+ [0-9]+ [0-9]+:[0-9]+:[0-9]+ [a-z]+: ",
    "",
    value("$MESSAGE"),
    type("pcre"),
    flags("ignore-case")
  );
};

rewrite r_pcre {
  subst(
    '^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s',
    "",
    value("$MESSAGE"),
    type("pcre"),
    flags("ignore-case")
  );
};

log {
  source(s_udp5001);
  #rewrite(r_chars);
  rewrite(r_pcre);
  destination(d_test);
};

I think you need to make sure, that the regular expression is set between
single quotes (e.g.: '^\w+\s\d+\s\d+:\d+:\d+\s\w+:\s')

Best regards,
Attila

On Tue, Jan 15, 2019 at 11:12 PM N. Max Pierson <nmaxpierson at gmail.com>
wrote:

> Hi Evan,
>
> I have tried both pcre and posix and neither seem to work.
>
> On Tue, Jan 15, 2019 at 4:08 PM Evan Rempel <erempel at uvic.ca> wrote:
>
>> You have defined your regular expresion as "posix" which does not have
>> the \d \s etc.
>> If you change the type to "pcre" then it should work for you.
>>
>>
>> On 1/15/19 2:01 PM, N. Max Pierson wrote:
>>
>> Hi List,
>>
>> I am using version 3.5 and it seems as though regex (posix or pcre)
>> doesn't work completely. Take the example string below (which is the
>> message part of the syslog).
>>
>> Jan 15 15:50:57 CST: %DAEMON-3-SYSTEM_MSG: NTP Receive dropping message:
>> Received NTP control mode packet. Drop count:147972  - ntpd[15029]
>>
>> I am trying to match the date at the beginning of the message and remove
>> it. When I use \w, \s, \d, etc, they do not match anything. If I match on a
>> character classes it works fine (ex [a-z]+ or [0-9]+).
>>
>> Here is my statement for the rewrite rule.
>>
>> rewrite r_nexus{ subst("^[a-z]+ [0-9]+ [0-9]+:[0-9]+:[0-9]+ [a-z]+: ",
>> "", value("MESSAGE"), type("posix"), flags("ignore-case"),
>> condition(filter(f_nexus))); };
>>
>> The above seems to get me what I want but are the character matches not
>> supposed to work in syslog-ng version 3.5??
>>
>> Regards,
>> Max
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190116/e691c4d7/attachment-0001.html>

More information about the syslog-ng mailing list