I'm trying to setup the logentries service. If a log entry has a token in it then I would like to send it to api.logentries.com:10000. The token is a guid in the format aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee.
Right now I'm doing:
# If there's a logentries token then send it directly to logentries
:msg, regex, ".*[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.*"
& @@api.logentries.com:10000
I checked the rsyslog debug logs and my regex is not matching, but I can't figure out why or how to fix it:
5245.961161378:7fb79b514700: Filter: check for property 'msg' (value ' fb1c507f-2ede-4d7f-a140-2bd8d56e133 - application - [play-akka.actor.default-dispatcher-1] - Found user: 4fb11ea5e4b00a1aeebe2800') regex '.*[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.*': FALSE
Rsyslog supports the POSIX BRE and the ERE Syntax. Both are a bit unusual nowadays. Nevertheless one difference between the two is, that chars
{and}need to be escaped in BRE - which his also rsyslogs default syntax when these Templates are used.See: https://en.wikibooks.org/wiki/Regular_Expressions/POSIX-Extended_Regular_Expressions and http://www.regular-expressions.info/posix.html
Additionally, as compared to PCRE:
.*?(?: ... )x?) must be written as:x{0,1}in EREThis string
fb1c507f-2ede-4d7f-a140-2bd8d56e133is matched in ERE Mode by this:
([[:alnum:]]{8}(-[[:alnum:]]{4}){3}-[[:alnum:]]{11})rsyslog being the steaming pile of garbage that it is doesn't accept curly braces in a regex a fact which is completely unmentioned in the documentation. Thus, the following regex:
Needs to be rewritten as:
I haven't test it ... but it will be something like that