Reputation: 31
rsyslog template - parse failure in regular expression
I am trying to structure logs from my D-Link DAP-2310 in a rsyslog server. It has a non-standard log format and my idea is to fix that with regex in a rsyslog template. When I parse the rsyslog.conf with rsyslogd -N1 the result is really depressing.
The msg data item looks like AA:BB:CC:DD:EE] [app-name] log message
The first part is a mac address where the first part “[00:” is placed in another data item, don't ask why. Part two “[app-name]” is the application/instance sending the message. Last part “log message” is the logged action.
The interesting parts are i) app-name and ii) log message.
I have validated following regular expression at http://www.rsyslog.com/regex/ and both of them works like a charm.
- \[(.+)\]
- \[.+\](.+)
The full template declaration look like:
template(name=”AP_tmpl” type=”list”) {
property(name=”timestamp”)
constant(value=” “)
property(name=”hostname”)
constant(value=” “)
property(name=”msg”
regex.type=”ERE”
regex.submatch=”1”
regex.expression=”\[(.+)\]--end”
regex.nomatchmode=”BLANK”
)
constant(value=” “)
property(name=”msg”
regex.type=”ERE”
regex.submatch=”1”
regex.expression=”\[.+\](.+)$--end”
regex.nomatchmode=”BLANK”
)
constant(value=”\n“)
}
When I parse the conf file it complain about escape characters.
tobias@ubuntutest:~$ sudo rsyslogd -N1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '"' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '\' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '.' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '*' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '\' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: syntax error on token ']' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means)
I can’t figure out why, the regular expressions are validated without any errors. http://www.rsyslog.com/e/2207 gives nothing. Any ideas?
Upvotes: 3
Views: 9871
Answers (1)
Reputation: 16714
When you write ”\[(.+)\]--end”, \[ is expected to be a special character (like \n), while it is not. To avoid the special use of the backslash, you should escape it with another backslash. So while the real regex are \[(.+)\] and \[.+\](.+), the strings you have to use are: ”\\[(.+)\\]” and ”\\[.+\\](.+)”.
Also, be careful about the double quotes, you probably want to ", and not ”.
Upvotes: 3
Related Questions
- Need guidance in delimiter for regex
- Rsyslog doesn't filter expression
- RegEx for Formating Rsyslog Logs to work with Arcsight Template
- rsyslog regex wont become greedy
- Regex in syslog template
- How to use startmsg.regex in Rsyslog
- Issue on parsing logs using regex
- regular expression multiple matches
- Issue with LogMX Regular Expression Parser
- Error reading log file with reg expression