Linux – rsyslog – regex trouble

linuxrsyslogsyslog

I'm trying to setup the logentries service. If a log entry has a token in it then I would like to send it to api.logentries.com:10000. The token is a guid in the format aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee.

Right now I'm doing:

# If there's a logentries token then send it directly to logentries 
:msg, regex, ".*[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.*"
& @@api.logentries.com:10000

I checked the rsyslog debug logs and my regex is not matching, but I can't figure out why or how to fix it:

5245.961161378:7fb79b514700: Filter: check for property 'msg' (value ' fb1c507f-2ede-4d7f-a140-2bd8d56e133 - application - [play-akka.actor.default-dispatcher-1] - Found user: 4fb11ea5e4b00a1aeebe2800') regex '.*[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.*': FALSE

Best Answer

Rsyslog supports the POSIX BRE and the ERE Syntax. Both are a bit unusual nowadays. Nevertheless one difference between the two is, that chars { and } need to be escaped in BRE - which his also rsyslogs default syntax when these Templates are used.

See: https://en.wikibooks.org/wiki/Regular_Expressions/POSIX-Extended_Regular_Expressions and http://www.regular-expressions.info/posix.html

Additionally, as compared to PCRE:

BRE/ERE is always greedy; there's no non-greedy flag .*?
No non-grouping Groups (in Rsyslog): (?: ... )
Zero-or-More (x?) must be written as: x{0,1} in ERE

This string
fb1c507f-2ede-4d7f-a140-2bd8d56e133
is matched in ERE Mode by this:
([[:alnum:]]{8}(-[[:alnum:]]{4}){3}-[[:alnum:]]{11})

Related Solutions

Rsyslog filter by client

Our config has some extra error checking in it preventing random hosts from generating logs.

# Templates                    
$template RemoteHost,"/data/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%-%$DAY%.log"
$template Garbage,"/data/log/remote/GARBAGE/%HOSTNAME%/%$YEAR%/%$MONTH%-%$DAY%.log"

# Discard SNMPD Connection Messages
if $programname == 'snmpd' and ( $msg contains 'Connection from UDP' or $msg contains 'Received SNMP packet(s) from UDP' ) then ~

# Archival Storage
#    All Messages, locally and remote stored to these rules
if $hostname contains '.mydomain.com' or $hostname contains '.myotherdomain.com' or $hostname contains '.local' then { 
  *.* ?RemoteHost 
} else { 
  *.* ?Garbage
}

# If not sourced locally, stop processing message.
:source , !isequal , "syslog1" ~

Adding Tag (i.e. Source IP) to rsyslog for sending to rsyslog remote server

You should be able to match the hostname of the system emitting your log. Isn't that enough?

Rsyslog has an option $PreserveFQDN on, to replace that hostname with your FQDN, which is probably better with syslog concentrators, ...

I suppose on the other end you have some logstash or elasticsearch? Either way, rsyslog also allows you to define templates such as:

template(name="jsonfmt" type="list" option.json="on") {
    constant(value="{")
    constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"@version\":\"1")
    constant(value="\",\"message\":\"") property(name="msg")
    constant(value="\",\"@fields.host\":\"") property(name="hostname")
    constant(value="\",\"@fields.severity\":\"") property(name="syslogseverity-text")
    constant(value="\",\"@fields.facility\":\"") property(name="syslogfacility-text")
    constant(value="\",\"@fields.programname\":\"") property(name="programname")
    constant(value="\",\"@fields.procid\":\"") property(name="procid")
    constant(value="\",\"@fields.mytag\":\"foobarStaticTag\"}\n")
}

local7.* @logstash.example.com:1514;jsonfmt
local7.* action(type="omelasticsearch"
       action.resumeretrycount="-1"
       dynSearchIndex="on"
       bulkmode="on"
       queue.type="linkedlist"
       queue.size="1000000"
       queue.dequeuebatchsize="1000"
       queue.workerthreads="2"
       searchIndex="logidx"
       server="esearchgw.example.com"
       template="jsonfmt")

Note that the sample logstash forwarder assumes your input definition includes codec => json. The foobarStaticTag being whatever Tag you wanted to add.

Best Answer

Related Solutions

Rsyslog filter by client

Adding Tag (i.e. Source IP) to rsyslog for sending to rsyslog remote server

Related Topic