I have the below rsyslog config which reads a non-standard formatted log file and parses the data I need into json payload. Now, when I'm trying to extract everything behind the last set of brackets which can contain [Info ] or [Error ] it throws an error saying: error compiling regex. I know the regex pattern (?:\[Info\s*\]|\[Error\s*\])\s*(.*) should work (tested on the regex checker on rsyslog's website, as well as on other checkers) but I don't quite understand to why rsyslog can't compile it. If I don't escape brackets, it's throwing a bunch of other errors. Am I missing something obvious?
/path/to/log/file.log
11955 - [Mon Apr 6 20:40:03 2023] [Info ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]
/etc/rsyslog.d/mylog.conf
module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/log/file.log")
template(name="jsonFormat" type="list" option.jsonf="on") {
property(outname="msg" name="msg" regex.expression="(?:\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)" regex.type="ERE" regex.submatch="1" format="jsonf")
}
if ($syslogtag == "mylog") then {
action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}
# rsyslogd -N1
rsyslogd: error compiling regex '(?:\[Info\s*\]|\[Error\s*\])\s*(.*)' [v8.2302.0]
The regex ERE syntax does not include the non-capture syntax (?:). Perhaps the regex checker is for a newer version of rsyslog.
You can simply change the regex.submatch to 2:
regex.expression="(\\[Info\\s*\\]|\\[Error\\s*\\])\\s*(.*)"
regex.submatch="2"