New style RainerScript syntax does not work with filters regex and ereregex

[selivan]

Expected behavior

rsyslog should be able to use regex and ereregex filters with new syntax.

Actual behavior

rsyslogd -N 1, if new syntax is used:

rsyslogd: version 8.36.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error during parsing file /etc/rsyslog.d/test.conf, on or before line 18: syntax error on token 'regex' [v8.36.0 try http://www.rsyslog.com/e/2207 ]
rsyslogd: could not interpret master config file '/etc/rsyslog.conf'. [v8.36.0 try http://www.rsyslog.com/e/2207 ]

If old syntax is used:

rsyslogd: version 8.36.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Steps to reproduce the behavior

Use message filter regex or ereregex with new syntax and get an error:

if ( $msg regex "filterme" ) then stop

The same new syntax with startswith filter works fine:

if ( $msg startswith "filterme" ) then stop

Old syntax with ereregex filter works fine:

:msg, ereregex, "filterme" stop

Environment

• rsyslog version: 8.36.0
• platform: Ubuntu 16.04
• for configuration questions/issues, include rsyslog.conf and included config files

rsyslog.conf: https://gist.github.com/selivan/9892cd2bcb8ea2edc7ab3d601e2d39d8

test.conf:

input(type="imfile"
        File="/var/log/test/debug.log"
        Tag="test__debug.log"
        Ruleset="test_logs")

ruleset(name="test_logs") {
        # Filter unnecessary messages
        # ereregex: POSIX ERE regular expression
        # See https://www.rsyslog.com/doc/v8-stable/configuration/filters.html#compare-operations

        if ( $msg regex ".*" ) then stop
        # Old syntax works:
        #:msg, ereregex, "filterme" stop

        call sendToLogserver
}

[selivan]

This issue seems abandoned 😴

[markkrj]

@selivan I think you can use re_match() function.
Try:

if re_match($msg, ".*") then stop

Rsyslog documentation is aweful. I managed to find some clues when I found the RainerScript functions page and googled for rsyslog if re_match.

[selivan]

@markkrj Thanks for this workaround, it looks better than using old style syntax.

Still, disfunctional regex and ereregex with new style syntax should be fixed.

@rgerhards Sorry to bother, this is not a high priority issue. But could you please at least look and confirm that it is a bug and it's gonna be fixed someday.

[rgerhards]

Sorry to bother, this is not a high priority issue. But could you please at least look and confirm that it is a bug and it's gonna be fixed someday.

Well, actually this is not a bug. The old style property filters are different from what the script statements do. For the new style, we have re_match() - there are no regex or eregex comparisons by intent. In new style, this is much better done via functions.

[rgerhards]

Rsyslog documentation is aweful

ack, albeit it got better. But keep in mind this is open source, so you can easily help improve it.

[kyparisisg]

Since this is still open, I would also like to ask a question if someone can help me....
Let's say I have a log which when through mmjsonparse and also mmnormalize.
I know that the log has been parsed successfully.
Then I would like to replace some characters of a field that was internally generated by mmnormalize. I want to do the replacement using regex.

For example the fields name generated by mmnormalize is $url
I want to replace "([0-9])" with "."
How do I do that?
I tried replace(str, s1, r1) but it does not work because I cannot give regex as s1.
However I tried re_extract() to get the exact characters which I want to replace and then give them as input to replace(str, s1, r1) but still does not work...
Any ideas to make that working?

[davidelang]

or ask the question on the rsyslog mailing list David Lang