rsyslog 无法在模板中编译正则表达式模式。

huangapple go评论73阅读模式
英文:

rsyslog can't compile regex pattern within template

问题

我有以下的rsyslog配置,它读取一个非标准格式的日志文件并将我需要的数据解析为JSON负载。现在,当我尝试提取最后一组括号后面的所有内容,它可能包含[Info ][Error ],它会抛出一个错误,显示:错误编译正则表达式。我知道正则表达式模式 (?:\[Info\s*\]|\[Error\s*\])\s*(.*) 应该可以工作(在rsyslog网站的正则表达式检查器上测试过,以及其他检查器上也测试过),但我不太明白为什么rsyslog不能编译它。如果我不转义括号,它会抛出一堆其他错误。我是否漏掉了什么明显的东西?

/path/to/log/file.log

11955 - [Mon Apr  6 20:40:03 2023] [Info   ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]

/etc/rsyslog.d/mylog.conf

module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/log/file.log")
    
template(name="jsonFormat" type="list" option.jsonf="on") {                 
    property(outname="msg" name="msg" regex.expression="(?:\[Info\s*\]|\[Error\s*\])\s*(.*)" regex.type="ERE" regex.submatch="1" format="jsonf")
}

if ($syslogtag == "mylog") then {
        action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}

# rsyslogd -N1

rsyslogd: error compiling regex '(?:\[Info\s*\]|\[Error\s*\])\s*(.*)' [v8.2302.0]
英文:

I have the below rsyslog config which reads a non-standard formatted log file and parses the data I need into json payload. Now, when I'm trying to extract everything behind the last set of brackets which can contain [Info ] or [Error ] it throws an error saying: error compiling regex. I know the regex pattern (?:\[Info\s*\]|\[Error\s*\])\s*(.*) should work (tested on the regex checker on rsyslog's website, as well as on other checkers) but I don't quite understand to why rsyslog can't compile it. If I don't escape brackets, it's throwing a bunch of other errors. Am I missing something obvious?

/path/to/log/file.log

 11955 - [Mon Apr  6 20:40:03 2023] [Info   ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]

/etc/rsyslog.d/mylog.conf

module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/log/file.log")
    
template(name="jsonFormat" type="list" option.jsonf="on") {                 
    property(outname="msg" name="msg" regex.expression="(?:\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)" regex.type="ERE" regex.submatch="1" format="jsonf")
}

if ($syslogtag == "mylog") then {
        action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}

# rsyslogd -N1

rsyslogd: error compiling regex '(?:\[Info\s*\]|\[Error\s*\])\s*(.*)' [v8.2302.0]

答案1

得分: 2

正则表达式 ERE 语法不包括非捕获语法 (?:)。或许正则表达式检查器适用于更新版本的 rsyslog。
你可以简单地将 regex.submatch 更改为 2:

regex.expression="(\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)"
regex.submatch="2"
英文:

The regex ERE syntax does not include the non-capture syntax (?:). Perhaps the regex checker is for a newer version of rsyslog.
You can simply change the regex.submatch to 2:

regex.expression="(\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)"
regex.submatch="2"

huangapple
  • 本文由 发表于 2023年4月6日 21:19:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/75950007.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定