2

I'm trying to setup the logentries service. If a log entry has a token in it then I would like to send it to api.logentries.com:10000. The token is a guid in the format aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee.

Right now I'm doing:

# If there's a logentries token then send it directly to logentries 
:msg, regex, ".*[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.*"
& @@api.logentries.com:10000

I checked the rsyslog debug logs and my regex is not matching, but I can't figure out why or how to fix it:

5245.961161378:7fb79b514700: Filter: check for property 'msg' (value ' fb1c507f-2ede-4d7f-a140-2bd8d56e133 - application - [play-akka.actor.default-dispatcher-1] - Found user: 4fb11ea5e4b00a1aeebe2800') regex '.*[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.*': FALSE
benmccann
  • 598
  • 2
  • 8
  • 21

3 Answers3

2

Rsyslog supports the POSIX BRE and the ERE Syntax. Both are a bit unusual nowadays. Nevertheless one difference between the two is, that chars { and } need to be escaped in BRE - which his also rsyslogs default syntax when these Templates are used.

See: https://en.wikibooks.org/wiki/Regular_Expressions/POSIX-Extended_Regular_Expressions and http://www.regular-expressions.info/posix.html

Additionally, as compared to PCRE:

  • BRE/ERE is always greedy; there's no non-greedy flag .*?
  • No non-grouping Groups (in Rsyslog): (?: ... )
  • Zero-or-More (x?) must be written as: x{0,1} in ERE

This string
fb1c507f-2ede-4d7f-a140-2bd8d56e133
is matched in ERE Mode by this:
([[:alnum:]]{8}(-[[:alnum:]]{4}){3}-[[:alnum:]]{11})

Bbak
  • 21
  • 3
1

rsyslog being the steaming pile of garbage that it is doesn't accept curly braces in a regex a fact which is completely unmentioned in the documentation. Thus, the following regex:

[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}

Needs to be rewritten as:

[a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9]-[a-z0-9][a-z0-9][a-z0-9][a-z0-9]-[a-z0-9][a-z0-9][a-z0-9][a-z0-9]-[a-z0-9][a-z0-9][a-z0-9][a-z0-9]-[a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9]
benmccann
  • 598
  • 2
  • 8
  • 21
  • I'm just starting to learn about rsyslog and deciding whether or not to use it. If it is a "steaming pile of garbage" - I'm wondering if you can suggest some alternatives? – dtmland Mar 18 '15 at 15:00
0
$msg , regex, yourRegEx @api.logentries.com:10000 // Filter out and send
& ~ // Discard whatever matched the rule

$template myTemplate,"TOKEN %msg%" 
*.* @api.logentries.com:10000?myTemplate

I haven't test it ... but it will be something like that

Sirex
  • 5,499
  • 2
  • 33
  • 54
Nikolaidis Fotis
  • 2,032
  • 11
  • 13
  • Thanks for the answer. I'm having a hard time reading it due to formatting though. Is everything after the "//" a comment? Is the "& ~" commented out and not do anything? I've updated my question to include what was my best guess and would really appreciate it if you can tell me if I'm doing anything wrong. – benmccann Dec 20 '12 at 02:12
  • &~ should be on the next line, it matches everything in the last match, and in this case, discards it. - This stops the syslog line being sent onwards. – Sirex Dec 20 '12 at 02:28
  • Also, SF tip. Usually the formatting in the answer is ok, but the rendering is messed up. If you click "edit" on the answer (but cancel rather than making changes) you can usually see what the author intended. – Sirex Dec 20 '12 at 02:30
  • Thanks. Is it supposed to be $msg? The docs have :msg. http://www.rsyslog.com/doc/rsyslog_conf_filter.html – benmccann Dec 20 '12 at 02:40
  • I found out the problem is that my regex is not matching by running rsyslog in debug mode and looking at the logs it created. Do you have any ideas what I can do to fix my regex? It looks okay to me. – benmccann Dec 20 '12 at 04:08