MonitorWare Knowledge Base

Hi guys

Hope you can help with why my regex expression in rsyslog is not matching.
Im trying to extract the FIRST instance of the ip address from the following string

%Juniper-4-[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12 21:52:21" timeGen="2006/10/12 21:52:21" domain="" devDomVer2="0" device_ip="10.209.83.4" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN" srcZn="NULL" srcIntf="NULL" srcAddr="192.168.170.20" srcPort="63396" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="192.168.170.10" dstPort="27374" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS" ruleNo="4" action="NONE" severity="LOW" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="<017>interface=eth2" user="NULL" app="NULL" uri="NULL"] [1]

im using %msg:R,ERE,1,DFLT:(\d{1,3}\.){3}\d{1,3}--end% but it only retrusn **NO MATCH**
i checked the regex (\d{1,3}\.){3}\d{1,3} in regexbuddy and it seems to be correct

Any ideas

Thanks
Stuart

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?