Rsyslog: New style RainerScript syntax does not work with filters regex and ereregex
Expected behavior
rsyslog should be able to use regex and ereregex filters with new syntax.
Actual behavior
rsyslogd -N 1, if new syntax is used:
rsyslogd: version 8.36.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error during parsing file /etc/rsyslog.d/test.conf, on or before line 18: syntax error on token 'regex' [v8.36.0 try http://www.rsyslog.com/e/2207 ]
rsyslogd: could not interpret master config file '/etc/rsyslog.conf'. [v8.36.0 try http://www.rsyslog.com/e/2207 ]
If old syntax is used:
rsyslogd: version 8.36.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
Steps to reproduce the behavior
Use message filter regex or ereregex with new syntax and get an error:
if ( $msg regex "filterme" ) then stop
The same new syntax with startswith filter works fine:
if ( $msg startswith "filterme" ) then stop
Old syntax with ereregex filter works fine:
:msg, ereregex, "filterme" stop
Environment
- rsyslog version: 8.36.0
- platform: Ubuntu 16.04
- for configuration questions/issues, include rsyslog.conf and included config files
rsyslog.conf: https://gist.github.com/selivan/9892cd2bcb8ea2edc7ab3d601e2d39d8
test.conf:
input(type="imfile"
File="/var/log/test/debug.log"
Tag="test__debug.log"
Ruleset="test_logs")
ruleset(name="test_logs") {
# Filter unnecessary messages
# ereregex: POSIX ERE regular expression
# See https://www.rsyslog.com/doc/v8-stable/configuration/filters.html#compare-operations
if ( $msg regex ".*" ) then stop
# Old syntax works:
#:msg, ereregex, "filterme" stop
call sendToLogserver
}
selivan
All 7 comments
This issue seems abandoned :sleeping:
selivan
on 21 Aug 2018
@selivan I think you can use re_match() function.
Try:
if re_match($msg, ".*") then stop
Rsyslog documentation is aweful. I managed to find some clues when I found the RainerScript functions page and googled for rsyslog if re_match.
markkrj
on 25 Sep 2018
@markkrj Thanks for this workaround, it looks better than using old style syntax.
Still, disfunctional regex and ereregex with new style syntax should be fixed.
@rgerhards Sorry to bother, this is not a high priority issue. But could you please at least look and confirm that it is a bug and it's gonna be fixed someday.
selivan
on 25 Sep 2018
Sorry to bother, this is not a high priority issue. But could you please at least look and confirm that it is a bug and it's gonna be fixed someday.
Well, actually this is not a bug. The old style property filters are different from what the script statements do. For the new style, we have re_match() - there are no regex or eregex comparisons by intent. In new style, this is much better done via functions.
rgerhards
on 26 Sep 2018
Rsyslog documentation is aweful
ack, albeit it got better. But keep in mind this is open source, so you can easily help improve it.
rgerhards
on 26 Sep 2018
Since this is still open, I would also like to ask a question if someone can help me....
Let's say I have a log which when through mmjsonparse and also mmnormalize.
I know that the log has been parsed successfully.
Then I would like to replace some characters of a field that was internally generated by mmnormalize. I want to do the replacement using regex.
For example the fields name generated by mmnormalize is $url
I want to replace "([0-9])" with "."
How do I do that?
I tried replace(str, s1, r1) but it does not work because I cannot give regex as s1.
However I tried re_extract() to get the exact characters which I want to replace and then give them as input to replace(str, s1, r1) but still does not work...
Any ideas to make that working?
kyparisisg
on 23 Dec 2019
or ask the question on the rsyslog mailing list
David Lang
davidelang
on 24 Dec 2019
Related issues
JPvRiel
路
10Comments
shannider
路
4Comments
minhtuanmt1
路
4Comments
JPvRiel
路
5Comments
feature-id
路
11Comments
Most helpful comment
@selivan I think you can use re_match() function.
Try:
Rsyslog documentation is aweful. I managed to find some clues when I found the RainerScript functions page and googled for
rsyslog if re_match.