英文:
rsyslog can't compile regex pattern within template
问题
我有以下的rsyslog配置,它读取一个非标准格式的日志文件并将我需要的数据解析为JSON负载。现在,当我尝试提取最后一组括号后面的所有内容,它可能包含[Info ]
或[Error ]
,它会抛出一个错误,显示:错误编译正则表达式。我知道正则表达式模式 (?:\[Info\s*\]|\[Error\s*\])\s*(.*)
应该可以工作(在rsyslog网站的正则表达式检查器上测试过,以及其他检查器上也测试过),但我不太明白为什么rsyslog不能编译它。如果我不转义括号,它会抛出一堆其他错误。我是否漏掉了什么明显的东西?
/path/to/log/file.log
11955 - [Mon Apr 6 20:40:03 2023] [Info ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]
/etc/rsyslog.d/mylog.conf
module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/log/file.log")
template(name="jsonFormat" type="list" option.jsonf="on") {
property(outname="msg" name="msg" regex.expression="(?:\[Info\s*\]|\[Error\s*\])\s*(.*)" regex.type="ERE" regex.submatch="1" format="jsonf")
}
if ($syslogtag == "mylog") then {
action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}
# rsyslogd -N1
rsyslogd: error compiling regex '(?:\[Info\s*\]|\[Error\s*\])\s*(.*)' [v8.2302.0]
英文:
I have the below rsyslog config which reads a non-standard formatted log file and parses the data I need into json payload. Now, when I'm trying to extract everything behind the last set of brackets which can contain [Info ]
or [Error ]
it throws an error saying: error compiling regex. I know the regex pattern (?:\[Info\s*\]|\[Error\s*\])\s*(.*)
should work (tested on the regex checker on rsyslog's website, as well as on other checkers) but I don't quite understand to why rsyslog can't compile it. If I don't escape brackets, it's throwing a bunch of other errors. Am I missing something obvious?
/path/to/log/file.log
11955 - [Mon Apr 6 20:40:03 2023] [Info ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]
/etc/rsyslog.d/mylog.conf
module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/log/file.log")
template(name="jsonFormat" type="list" option.jsonf="on") {
property(outname="msg" name="msg" regex.expression="(?:\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)" regex.type="ERE" regex.submatch="1" format="jsonf")
}
if ($syslogtag == "mylog") then {
action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}
# rsyslogd -N1
rsyslogd: error compiling regex '(?:\[Info\s*\]|\[Error\s*\])\s*(.*)' [v8.2302.0]
答案1
得分: 2
正则表达式 ERE 语法不包括非捕获语法 (?:)
。或许正则表达式检查器适用于更新版本的 rsyslog。
你可以简单地将 regex.submatch
更改为 2:
regex.expression="(\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)"
regex.submatch="2"
英文:
The regex ERE syntax does not include the non-capture syntax (?:)
. Perhaps the regex checker is for a newer version of rsyslog.
You can simply change the regex.submatch
to 2:
regex.expression="(\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)"
regex.submatch="2"
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论