rsyslog 模板 - 在正则表达式中解析失败 [英] rsyslog template - parse failure in regular expression
问题描述
我正在尝试在 rsyslog 服务器中构建来自我的 D-Link DAP-2310 的日志.它有一个非标准的日志格式,我的想法是用 rsyslog 模板中的正则表达式来修复它.当我用 rsyslogd -N1 解析 rsyslog.conf 时,结果真的很令人沮丧.
I am trying to structure logs from my D-Link DAP-2310 in a rsyslog server. It has a non-standard log format and my idea is to fix that with regex in a rsyslog template. When I parse the rsyslog.conf with rsyslogd -N1 the result is really depressing.
msg 数据项看起来像 AA:BB:CC:DD:EE] [app-name] 日志消息
第一部分是mac地址,其中第一部分[00:"放在另一个数据项中,不要问为什么.第二部分[app-name]"是发送消息的应用程序/实例.最后一部分日志消息"是记录的操作.
The msg data item looks like AA:BB:CC:DD:EE] [app-name] log message
The first part is a mac address where the first part "[00:" is placed in another data item, don't ask why. Part two "[app-name]" is the application/instance sending the message. Last part "log message" is the logged action.
有趣的部分是 i) 应用程序名称和 ii) 日志消息.
The interesting parts are i) app-name and ii) log message.
我在 http://www.rsyslog.com/regex/ 验证了以下正则表达式并且它们都非常有用.
I have validated following regular expression at http://www.rsyslog.com/regex/ and both of them works like a charm.
- \[(.+)\]
- \[.+\](.+)
完整的模板声明如下:
template(name="AP_tmpl" type="list") {
property(name="timestamp")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="msg"
regex.type="ERE"
regex.submatch="1"
regex.expression="\[(.+)\]--end"
regex.nomatchmode="BLANK"
)
constant(value=" ")
property(name="msg"
regex.type="ERE"
regex.submatch="1"
regex.expression="\[.+\](.+)$--end"
regex.nomatchmode="BLANK"
)
constant(value="\n")
}
当我解析 conf 文件时,它会抱怨转义字符.
When I parse the conf file it complain about escape characters.
tobias@ubuntutest:~$ sudo rsyslogd -N1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '"' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '\' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '.' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '*' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '\' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: syntax error on token ']' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means)
我不知道为什么,正则表达式经过验证没有任何错误.http://www.rsyslog.com/e/2207 什么也没有.有什么想法吗?
I can’t figure out why, the regular expressions are validated without any errors. http://www.rsyslog.com/e/2207 gives nothing. Any ideas?
推荐答案
当你写"\[(.+)\]--end"
, \[
应该是一个特殊字符(如 \n
),而它不是.为避免反斜杠的特殊使用,您应该使用另一个反斜杠将其转义.因此,虽然真正的正则表达式是 \[(.+)\]
和 \[.+\](.+)
,但您必须使用的字符串是: "\\[(.+)\\]"
和 "\\[.+\\](.+)"
.
When you write "\[(.+)\]--end"
, \[
is expected to be a special character (like \n
), while it is not. To avoid the special use of the backslash, you should escape it with another backslash. So while the real regex are \[(.+)\]
and \[.+\](.+)
, the strings you have to use are: "\\[(.+)\\]"
and "\\[.+\\](.+)"
.
另外,注意双引号,你可能想要"
,而不是"
.
Also, be careful about the double quotes, you probably want to "
, and not "
.
这篇关于rsyslog 模板 - 在正则表达式中解析失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!