Regex template

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads

Regex template

Postby azurtem » Tue May 30, 2017 11:43 am


I have a Mikrotik router set up to send log messages to a Debian Syslog server which look like the following:
Code: Select all GET action=allow cache=MISS

In order to alleviate the overall required storage space I would like to discard the last part of these notification messages, specifically: " action=allow cache=MISS"
For the moment I execute a nightly Mysql UPDATE to remove the unnecessary text from the day's stored records
I'd prefer however to use a template to discard this extra text before the record gets stored into the database table
The expression I'm trying to use is the following:
Code: Select all
^(.+)(?=.action\=allow cache\=MISS$)

Using the Regular Expression Checker/Generator I obtained the following suggestion:
Code: Select all
$Template tpl,"%msg:R,ERE,0,DFLT:^(.+)(?=.action\=allow cache\=MISS$)--end%\n"

I therefore added this line to my rsyslog.conf and modified my Mysql storage command as follows:
Code: Select all
*.* :ommysql:,Syslog,rsyslog,passwor;tpl

Unfortunately this doesn't work, probably because POSIX doesn't accept the look ahead instruction
If this isn't the case, could someone point me in the right direction please ?
If it is then could anyone suggest another manner to filter out this extra text please ?

Posts: 1
Joined: Tue May 30, 2017 9:37 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads

Return to Configuration

Who is online

Users browsing this forum: No registered users and 2 guests