I need an rsyslog regex to forward all the messages containing the word "FIREWALL" to a remote server. The original log format is:
Jul 24 16:33:09 FW02 kernel: [3456825.472985] FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217
The required log format is to be without the kernel times:
Jul 24 16:33:09 FW02 kernel: FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217
My experience with regex is basic. I was able to match the part I need to exclude with:
[ *[0-9]*\\.[0-9]*\\]
but that's all. The regex must be validated on http://www.rsyslog.com/regex/
Disclaimer: I have no idea how rsyslog works, but perhaps the regex below can help
^([^[]*).*\\](.*)$
Submatch 1:
"Jul 24 16:33:09 FW02 kernel: "
Submatch 2:
" FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.