Regex template

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Regex template

Postby azurtem » Tue May 30, 2017 11:43 am

Hi

I have a Mikrotik router set up to send log messages to a Debian Syslog server which look like the following:
Code: Select all
192.168.22.167 GET http://clients3.google.com/generate_204 action=allow cache=MISS

In order to alleviate the overall required storage space I would like to discard the last part of these notification messages, specifically: " action=allow cache=MISS"
For the moment I execute a nightly Mysql UPDATE to remove the unnecessary text from the day's stored records
I'd prefer however to use a template to discard this extra text before the record gets stored into the database table
The expression I'm trying to use is the following:
Code: Select all
^(.+)(?=.action\=allow cache\=MISS$)

Using the Rsyslog.com Regular Expression Checker/Generator I obtained the following suggestion:
Code: Select all
$Template tpl,"%msg:R,ERE,0,DFLT:^(.+)(?=.action\=allow cache\=MISS$)--end%\n"

I therefore added this line to my rsyslog.conf and modified my Mysql storage command as follows:
Code: Select all
*.* :ommysql:127.0.0.1,Syslog,rsyslog,passwor;tpl

Unfortunately this doesn't work, probably because POSIX doesn't accept the look ahead instruction
If this isn't the case, could someone point me in the right direction please ?
If it is then could anyone suggest another manner to filter out this extra text please ?

thanks
yann
azurtem
New
 
Posts: 1
Joined: Tue May 30, 2017 9:37 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Configuration

Who is online

Users browsing this forum: No registered users and 1 guest

cron