stackoom
  简体   繁体   中英

regex for rsyslog to exclude a pattern

 原文  2012-09-07 08:25:22       regex/ logging/ rsyslog

Question

I need an rsyslog regex to forward all the messages containing the word "FIREWALL" to a remote server. The original log format is:

Jul 24 16:33:09 FW02 kernel: [3456825.472985] FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217

The required log format is to be without the kernel times:

Jul 24 16:33:09 FW02 kernel: FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217

My experience with regex is basic. I was able to match the part I need to exclude with:

[ *[0-9]*\\.[0-9]*\\]

but that's all. The regex must be validated on http://www.rsyslog.com/regex/

1 answers

solution1
 0  2012-09-07 08:53:52

Disclaimer: I have no idea how rsyslog works, but perhaps the regex below can help

^([^[]*).*\\](.*)$

Submatch 1:

"Jul 24 16:33:09 FW02 kernel: "

Submatch 2:

" FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Exclude url pattern in regex Regex to exclude file pattern Perl Regex - Exclude a pattern Exclude matched regex pattern Exclude a pattern in RegEx Regex pattern match exclude Regex to exclude number pattern Exclude a Pattern using Regex REGEX - Pattern Needed to exclude Regex exclude a specific pattern
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM