Write path for logging is problematic

David Conway

5/19/24, 9:48 PM

My config for my template is as follows.

template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%programname:R,ERE,0,FIELD:(([0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f]: ?[0-9A-fa-f][0-9A-fa-f])|([0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f]))--end%/%$now%.log")
*.* ?macfilter

My log files come in in one of many ways, but only one appears to be problematic.

This log works great, it goes to /home/pi/nas/f/0004f28210ae/date.log

2023-04-11T13:14:05-05:00 192.168.1.251 0004f28210ae|0411131405|clist|4|00|dbCfg: :getServerDir:Unknown dbCfg type

This does not. It goes to /home/pi/nas/f/2023-05-19.log

2023-04-06T01:00:03-05:00 075-137-050-066.res.spectrum.com [80: 5e:0c:9f:11:dc] sua [1026.2005]: FSM <6+info  > [003] allocating NICT context

I'm thinking it has something to do with the whitespace in the log, I've allocated for it in the regex, and the regex works according to the rsyslog regex tester, but I don't get my filepath i'm trying for.

However when i try to trim the template string in any way shape or fashion it tells me extra stuff in my template, ignoring the extra stuff.

Any ideas? Am I even approaching this in the simplest fashion?

EDIT:

The two comments below were how I fixed it.

1 + 2

rsyslog

David Conway

5/20/24, 4:17 AM

if ($rawmsg contains "64167f" or $rawmsg contains "0004f2" or $rawmsg contains "9cadef" or $rawmsg contains "482567" or $rawmsg contains "80:") then { if ($rawmsg contains "80:") then { set $!nameval0 = replace($rawmsg, " ", ""); set $!nameval = replace($!nameval0, ":", ""); } else { set $!nameval = $app-name; } } else { set $!nameval = $app-name; }

David Conway

5/20/24, 4:17 AM

template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%$!nameval:R,ERE,0,FIELD:([0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f])--end%/%$now%.log") *.* -?macfilter

Score:0

Server

David Conway

5/20/24, 4:20 AM

if ($rawmsg contains "64167f" or $rawmsg contains "0004f2" or $rawmsg contains "9cadef" or $rawmsg contains "482567" or $rawmsg contains "80:") then {
        if ($rawmsg contains "80:") then {
            set $!nameval0 = replace($rawmsg, " ", "");
            set $!nameval = replace($!nameval0, ":", "");
        } else {
                set $!nameval = $app-name;
            }
    }  else {
    set $!nameval = $app-name;
}

template (name="macfilter" type="string" string="/home/pi/nas/f/remotelogs/%$!nameval:R,ERE,0,FIELD:([0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f])--end%/%$now%.log")
*.* -?macfilter

+ 1

meuh

5/20/24, 8:31 AM

Note, for an ERE regexp you can use the suffix group multiplier of form `{min,max}` or `{count}`. Replace the repeated `[0-9A-Fa-f]` sequence by `[0-9A-Fa-f]{12}`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Write path for logging is problematic

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.