MonitorWare Knowledge Base

Hi,

I'm trying to configure rsyslog to drop lines where the message contains a certain message.

Here are the lines from syslog that I want to filter:

Jan 18 04:04:18 SOMESEREVE su(pam_unix)[3414]: session closed for user oracle
Jan 18 04:04:19 SOMESERVER su(pam_unix)[3465]: session opened for user oracle by (uid=0)

and heres the config line from my rsyslog.conf file:

:msg,regex," session (opened|closed) for user oracle" ~

From my experience, this should be a valid regex but it doesn't match anything as far as rsyslog is concerned.

Anyone have any ideas what could be wrong?

Thanks.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

I believe the ":property,regex,'expression'" construct uses standard POSIX regular expressions, which do not support alternation. I don't believe that you can use extended Regexes in this type of expression. Can anyone confirm?

Also, perhaps someone (Rainer?) can speak to the difficulty of programatically enabling ERE in the filter conditions?

Assuming there's no quick/easy solution for using ERE in this type of setup, you can get the same sort of behavior with two separate lines.

-HKS

sorry, I've been pretty swamped today and probably will until the end of the week. I'll have a look and if it is the ERE issue, I, too, think that should be relatively trivial to add. Will keep you posted. Please ping me if I have not replied by monday.

Rainer