动态Rsyslog模板

Question

我有一个Rsyslog配置，如下所示：

template(name="extract" type="string" string="%msg:R:/(?:"(level)":")((\\"|

[^"])*)"/g–end%")

if $InputFileTag == 'esblog' then {
    set $!level = exec_template("extract");
} else {
    set $!level = $syslogseverity-text;
}

template(name="json_lines" type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"json.level\":\"")    property(name="$!level" format="json")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"tag\":\"")   property(name="syslogtag" format="json")
      constant(value="\",\"message\":\"")    property(name="msg" format="json")
    constant(value="\"}")
}

基本上，如果源标记是esblog，我想使用这个正则表达式，从“提取”中提取出日志消息的严重性。否则，我希望使用默认的严重性。然后在json.level标签中使用这个变量，这样我就只需要在传出消息上使用一个模板。但还没能成功。

使用RegEx：https://regex101.com/r/lN4tD4/1的示例消息

错误日志

0341.407068000:main thread    : error: can not find regex end in: '(?:"level":")(\"|[^"]*)"–end%'
0341.407084000:main thread    : PROP_INVALID for name ''
0341.407097000:main thread    : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: invalid property ''
0341.407195000:main thread    : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: error processing template object
0341.407350000:main thread    : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 33: exec_template(): template 'extract' 

Answer 1

RegEx只是需要改变。

template(name="extract" type="string" string="%msg:R,ERE,2,DFLT:(\"level\":\")(\\\"|[^\"]*)\"--end%")


if $programname contains "esb-log" then {
    set $!level = exec_template("extract");
} else {
    set $!level = $syslogseverity-text;
}

在线Rsyslog RegEx工具：http://www.rsyslog.com/regex/