I am writing a rsyslog-template to filter src and dst ip from events, but the regexpression is only returning the first match.
Sample Event:
ulogd[20230]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="89" initf="eth1" outitf="eth0" srcmac="aa:bb:cc:dd:ee:2c" dstmac="00:11:22:ff:cc:aa" srcip="10.10.1.250" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="64405" dstport="1133" tcpflags="ACK"
Template_syntax
%msg:R,ERE,0,FIELD:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})+--end%
REGEX
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})+
I am testing with: https://www.rsyslog.com/regex/
If you only have to match exactly 2 ips, then you can just repeat the regex pattern in 2 property replacers, where the second one specifies that the second matching ip address is to be taken.
Using "..." to stand for the pattern [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}, just to make it more readable, you would have
%msg:R,ERE,0,FIELD,0:...--end%
%msg:R,ERE,0,FIELD,1:...--end%
or in full:
$template outfmt,"%msg:R,ERE,0,FIELD,0:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}--end% %msg:R,ERE,0,FIELD,1:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}--end%\n"