0

My config for my template is as follows.

template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%programname:R,ERE,0,FIELD:(([0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f])|([0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f]))--end%/%$now%.log")
*.* ?macfilter

My log files come in in one of many ways, but only one appears to be problematic.

This log works great, it goes to /home/pi/nas/f/0004f28210ae/date.log

2023-04-11T13:14:05-05:00 192.168.1.251 0004f28210ae|0411131405|clist|4|00|dbCfg: :getServerDir:Unknown dbCfg type

This does not. It goes to /home/pi/nas/f/2023-05-19.log

2023-04-06T01:00:03-05:00 075-137-050-066.res.spectrum.com [80: 5e:0c:9f:11:dc] sua [1026.2005]: FSM <6+info  > [003] allocating NICT context

I'm thinking it has something to do with the whitespace in the log, I've allocated for it in the regex, and the regex works according to the rsyslog regex tester, but I don't get my filepath i'm trying for.

However when i try to trim the template string in any way shape or fashion it tells me extra stuff in my template, ignoring the extra stuff.

Any ideas? Am I even approaching this in the simplest fashion?

EDIT:

The two comments below were how I fixed it.

David Conway
  • 1
  • 1
  • if ($rawmsg contains "64167f" or $rawmsg contains "0004f2" or $rawmsg contains "9cadef" or $rawmsg contains "482567" or $rawmsg contains "80:") then { if ($rawmsg contains "80:") then { set $!nameval0 = replace($rawmsg, " ", ""); set $!nameval = replace($!nameval0, ":", ""); } else { set $!nameval = $app-name; } } else { set $!nameval = $app-name; } – David Conway May 20 '23 at 04:17
  • template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%$!nameval:R,ERE,0,FIELD:([0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f])--end%/%$now%.log") *.* -?macfilter – David Conway May 20 '23 at 04:17

1 Answers1

0
if ($rawmsg contains "64167f" or $rawmsg contains "0004f2" or $rawmsg contains "9cadef" or $rawmsg contains "482567" or $rawmsg contains "80:") then {
        if ($rawmsg contains "80:") then {
            set $!nameval0 = replace($rawmsg, " ", "");
            set $!nameval = replace($!nameval0, ":", "");
        } else {
                set $!nameval = $app-name;
            }
    }  else {
    set $!nameval = $app-name;
}

template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%$!nameval:R,ERE,0,FIELD:([0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f])--end%/%$now%.log")
*.* -?macfilter
David Conway
  • 1
  • 1
  • Note, for an ERE regexp you can use the suffix group multiplier of form `{min,max}` or `{count}`. Replace the repeated `[0-9A-Fa-f]` sequence by `[0-9A-Fa-f]{12}`. – meuh May 20 '23 at 08:31