What is the correct syntax for rsyslog's re_match()?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:
if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop
I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.
The documentation is a bit vague:
re_match(expr, re)
returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.
How do I fix it (the filter, not the docs)?
regular-expression rsyslog filter
asked 15 hours ago
U. Windl
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:
if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop
I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.
The documentation is a bit vague:
re_match(expr, re)
returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.
How do I fix it (the filter, not the docs)?
regular-expression rsyslog filter
asked 15 hours ago
U. Windl
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:
if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop
I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.
The documentation is a bit vague:
re_match(expr, re)
returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.
How do I fix it (the filter, not the docs)?
regular-expression rsyslog filter
asked 15 hours ago
U. Windl
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I'm trying to filter unwanted messages from a cron job (systemd) from rsyslog output. However rsyslog always complains about the second argument of re_match(). The filter rule I have is:
if $programname == "systemd" and re_match($msg, '^Started [Ss]ession d+ of user ntpmon.$') then stop
I started putting the regex in double-quotes, and rsyslog complained. Then I put the regex in single quotes, and rsyslog still complains.
The documentation is a bit vague:
re_match(expr, re)
returns 1, if expr matches re, 0 otherwise. Uses POSIX ERE.
How do I fix it (the filter, not the docs)?
regular-expression rsyslog filter
regular-expression rsyslog filter
asked 15 hours ago
U. Windl
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 15 hours ago
U. Windl
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 15 hours ago
U. Windl
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 15 hours ago
U. Windl
1291
asked 15 hours ago
U. Windl
1291
1291
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
U. Windl is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.
But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try
'^Started [Ss]ession [0-9]+ of user ntpmon\.$'
answered 11 hours ago
meuh
31k11754
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.
But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try
'^Started [Ss]ession [0-9]+ of user ntpmon\.$'
answered 11 hours ago
meuh
31k11754
add a comment |
up vote
0
down vote
You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.
But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try
'^Started [Ss]ession [0-9]+ of user ntpmon\.$'
answered 11 hours ago
meuh
31k11754
add a comment |
up vote
0
down vote
up vote
0
down vote
You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.
But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try
'^Started [Ss]ession [0-9]+ of user ntpmon\.$'
answered 11 hours ago
meuh
31k11754
You need to double the backslash, otherwise rsyslog tries to interpret d as an escape sequence within a string, and this is not parseable. So it should be \d.
But d is not a Posix ERE. You presumably meant [0-9], for example, for a digit. So try
'^Started [Ss]ession [0-9]+ of user ntpmon\.$'
answered 11 hours ago
meuh
31k11754
answered 11 hours ago
meuh
31k11754
answered 11 hours ago
meuh
31k11754
answered 11 hours ago
meuh
31k11754
31k11754
add a comment |
add a comment |
U. Windl is a new contributor. Be nice, and check out our Code of Conduct.
U. Windl is a new contributor. Be nice, and check out our Code of Conduct.
U. Windl is a new contributor. Be nice, and check out our Code of Conduct.
U. Windl is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f481282%2fwhat-is-the-correct-syntax-for-rsyslogs-re-match%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
