How to split Rsyslog MSG by REGEX expression - linux

I have syslog message from my device. I am using Rsyslog and want to collect specific message from a specific folder using REGEX expression.
The configuration with the old syntax works as intended:
:msg, regex, "hostname0. %%01SHELL" /var/log/tel/hostname.log
... which produces the following logs (example):
Feb 1 17:41:18 hostname01 %%01SHELL/6/DISPLAY_CMDRECORD(s)[5461]: Recorded display command information. (Task=FW, Ip=**, VpnName=, User=_system_, AuthenticationMethod="Null", Command="display engine statistics system")
Feb 1 17:42:18 hostname02 %%01SHELL/6/DISPLAY_CMDRECORD(s)[5461]: Recorded display command information. (Task=FW, Ip=**, VpnName=, User=_system_, AuthenticationMethod="Null", Command="display engine statistics system")
My template in the new RainerScript syntax, is not working:
template (name="HOST_SHELL" type="string" string="/var/log/tel/%$YEAR%-%$MONTH%-%$DAY%-HOST-SHELL.log")
if re_match($msg, 'hostname0. %%01SHELL')
then {action(type="omfile" dynaFile="HOST_SHELL")
stop
}
But, nothing happens. Maybe there is another way to solve the problem, or correct my template.
In the future planned to filter:
hostname0. %%01ERRORS in folder /var/log/tel/%$YEAR%-%$MONTH%-%$DAY%-HOST-ERRORS.log

In your RainerScript syntax configuration, you are missing the if statement's closing brace } before the stop statement. You should include it after the action statement like this:
template (name="HOST_SHELL" type="string" string="/var/log/tel/%$YEAR%-%$MONTH%-%$DAY%-HOST-SHELL.log")
if re_match($msg, 'hostname0. %%01SHELL') then {
action(type="omfile" dynaFile="HOST_SHELL")
stop
}
Also, you may want to modify the regex pattern to include the dot character (.) in the hostname match pattern. The dot character has a special meaning in regex, and it matches any character. To match the literal dot character, you can escape it with a backslash (.). Here is an updated regex pattern:
if re_match($msg, 'hostname0\..* %%01SHELL') then {
...
}
This should match any message that starts with "hostname0." followed by any characters, then " %%01SHELL"

Related

How to filter out/ommit specific pattern in linux logs

I'm looking through massive log files on linux server. Is there any command to filter out (not to show) specific pattern?
For example if my log messages begin with A-1111, B-1111, C-1111 etc. Could I somehow filter so that logs with pattern A-XXXX wouldn't be shown, but all other patterns still would be present?
I' not really advanced with linux commands, thanks.
This is one of the reasons why grep has been invented. However, from your description I can't find out how the pattern looks like:
[A-C]-1111 : letters from A to C, followed by 1111
[A-C]-[0-9][0-9][0-9][0-9] : letters from A to C, followed by four digits
[A-Z]... : letters from A to Z, ...
...
Your first reaction: "This is not what I want: grep filters those expressions and shows them, and I want the opposite, I want not to show them!"
This can be solved by the -v flag in grep:
I have created a file with following content:
A-1111
B-1111
C-1111
A-2222
Whatever
This is the result of grep -v "[A-C]-1111" logfile.log:
A-2222
Whatever

Find and replace word with gap/wildcard in Android Studio

Is there any way to find a specific code with one or more gaps? For example, I want to replace
.setImageResource(R.drawable.*)
with
.setImageDrawable(ContextCompat.getDrawable(this, R.drawable.*))
Here * means the name will remain as was before.
Yes it is possible. Click Ctrl+Shift+R. You will see something like this:
Select Regex and then in first field paste:
.setImageResource\(R.drawable.(.*)\)
and in the second:
.setImageDrawable(ContextCompat.getDrawable(this, R.drawable.$1))
This replacement based on Regex. In the first statement, You set the group after R.drawable in the () brackets. This group can be used in the second statement by using $1. 1 is the number of the group. 0 is the full regex and the next groups start integrating from 1.
Result:
.setImageResource(R.drawable.something1)
.setImageResource(R.drawable.something2)
was changed to
.setImageDrawable(ContextCompat.getDrawable(this, R.drawable.something1))
.setImageDrawable(ContextCompat.getDrawable(this, R.drawable.something2))
Here You can read more about Find and replace with Regex in IntelliJ IDEA

Store Multiple Identical Results from Logstash

So, say I have an event coming into Logstash as a multiline object (there are many events that all basically match the pattern below):
Starting script at 2015-11-12 15:06 EST
Found result a at 127.0.0.1
Found result b at 127.0.0.1
Found result c at 0.0.0.0
Script ended at 2015-11-12 15:07 EST
How would I go about matching this in such a way as to store each of the "Found ..." lines separately?
My current config file is something like:
filter {
grok {
break_on_match => false
match => {
"message" => [
"Starting script at ${TIMESTAMP_ISO8601:run_time}",
"Found result %{GREEDYDATA:result} at ${IP:result_ip}"
]
}
}
}
As it stands, this only captures one of the "Found result..." lines. (That is, it matches them all, but only stores one of them - there's only one result variable output.) I'd like to individually capture them, and store them as an... well, anything, so long as they're all there.
Is there a way to capture multiple of the same pattern and store all of the resultant capture data distinctly, while keeping the whole multiline event together so that I can tie it to header data such as the script start time?
I think you can use the split filter to achieve what you want. It allows you to split one event into several parts. The indivdual parts are all copies of the original event as far as I remember. You have to play with the terminator parameter which controls when the message is split into parts.
Check out the docs at: https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html#plugins-filters-split-target

Extracting fields in Logstash

I am using Logstash (with Kibana as the UI). I would like to extract some fields from my logs so that I can filter by them on the LHS of the UI.
A sample line from my log looks like this:
2013-07-04 00:27:16.341 -0700 [Comp40_db40_3720_18_25] client_login=C-316fff97-5a19-44f1-9d87-003ae0e36ac9 ip_address=192.168.4.1
In my logstash conf file, I put this:
filter {
grok {
type => "mylog"
pattern => "(?<CLIENT_NAME>Comp\d+_db\d+_\d+_\d+_\d+)"
}
}
Ideally, I would like to extract Comp40_db40_3720_18_25 (the number of digits can vary, but will always be at least 1 in each section separated by _) and client_login (can also be client_logout). Then, I can search for CLIENT_NAME=Comp40... CLIENT_NAME=Comp55, etc.
Am I missing something in my config to make this a field that I can use in Kibana?
Thanks!
If you are having any difficulty getting the pattern to match correctly, using the Grok Debugger is a great solution.
For your given problem you could just separate out your search data into another variable, and save the additional varying digits in another (trash) variable.
For example:
(?<SEARCH_FIELD>Comp\d+)%{GREEDYDATA:trash_variable}]
(Please use the Grok Debugger on the above pattern)

Regular Expression validating hyperlink for export to Excel

I have a web application that takes input from a user, usually in the form of a filepath, hyperlink, or fileshare, but not always. A user may enter "\my.fileshare.com", "http://www.msdn.com", or "In my file cabinent". These inputs are exported to a Excel file. However, if the input is in the form of "\look on my desk" or "http://here it is" (notice the spaces), after the file is exported, and opened, Excel raises the ever so descriptive error message of, and I quote, "Error".
I'm adding to the existing code a regular expression validator to the textbox the user enters and edits these locations in. Because there are a large number of existing entries, the validator needs to be specific as possible, and only toss out the inputs that cause the Excel export to break. For example "\Will Work" will work, as will "Will Work", and "\This\will also work". I need a regular expression that if the string starts with \, http://, https://, ftp://, ftps://, the server or fileshare name does not have a space in it, and if it does not start with the \, http://, https://, ftp://, ftps://, its fine regardless.
I've been able to write the first part
^(\\)[^ \]+(\.)$|^(((ht|f)tp(s)?)://)[^ /]+(/.)$
but I can't figure out how to say ignore everything if it does not start with \, http://, https://, ftp://, ftps://.
^(?:(?:\\|(?:ht|f)tps?://)\S+|(?!\\|(?:ht|f)tps?://).*)$
Explained:
^ # start-of string
(?: # begin non-capturing group
(?:\\|(?:ht|f)tps?://)\S+ # "\, http, ftp" followed by non-spaces
| # or
(?!\\|(?:ht|f)tps?://).* # NOT "\, http, ftp" followed by anything
) # end non-capturing group
$ # end-of-string
This is pure, unescaped regex. Add character escaping according to the rules of your environment.
EDIT: Ooops premature.
This expression still doesn't allow "http://www.google.com/hello world" :/
EDIT FOR A THIRD TIME
Here we go!
^(?:(?:\\|(?:ht|f)tps?://)[^ /\]+([/\].)?|(?!\\|(?:ht|f)tps?://).)$

Resources