我需要一个rsyslog正则表达式将包含单词“FIREWALL”的所有消息转发到远程服务器。原始日志格式为:
Jul 24 16:33:09 FW02内核:[3456825.472985] FIREWALL_DENY_IN:IN = eth2 OUT = MAC = ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08 :00 SRC = 10.101.103.193 DST = 10.101.103.255 LEN = 237 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 0 DF PROTO = UDP SPT = 51512 DPT = 694 LEN = 217
所需的日志格式是没有内核时间:
Jul 24 16:33:09 FW02内核:FIREWALL_DENY_IN:IN = eth2 OUT = MAC = ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC = 10.101.103.193 DST = 10.101.103.255 LEN = 237 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 0 DF PROTO = UDP SPT = 51512 DPT = 694 LEN = 217
我对正则表达式的体验是基本的。我能够匹配我需要排除的部分:
[* [0-9] * \。[0-9] * \]
但这就是全部。必须在http://www.rsyslog.com/regex/
上验证正则表达式答案 0 :(得分:0)
免责声明:我不知道rsyslog是如何工作的,但下面的正则表达式可能会有所帮助
^([^[]*).*\](.*)$
Submatch 1:
"Jul 24 16:33:09 FW02 kernel: "
Submatch 2:
" FIREWALL_DENY_IN: IN=eth2 OUT=MAC=ff:ff:ff:ff:ff:ff:00:1b:78:e4:b3:24:08:00 SRC=10.101.103.193 DST=10.101.103.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51512 DPT=694 LEN=217"