syslog pattern match

neilobrien · ‎04-05-2012

Hi Guys,

I'm looking for a way to setup a syslog pattern match on everything except a particular string.

So for example, I want to monitor the rate at which new logs appears in the local buffer with the exception of messages with %PARSER contained in them.

I have the basics working but I'm having trouble finding a regex expression that will do this.

Thanks in advance,

Neil

mtimm · ‎04-05-2012

To match everything but a specific pattern you would likely need to use a zero length negative lookahead regular expressin pattern. These have been supported in Tcl regexp since 8.1 and Cisco IOS provides Tcl 8.3.4 if I remember correctly. So something along the lines of '^(?!PARSER).*'. I don't believe the % is presented to EEM (but a debug could help prove that, I simply forget if it is actually) and I assume then that the string you would be comparing this to would then start with PARSER. If not you could remove the ^ anchor.

neilobrien · ‎04-05-2012

Thanks mtimm - I did try this (or something similar) however I get the below error when the "?" is used in the regex expression.

Note: I am adding the "?" after executing ctrl-v

%EEM: Failed to create event for applet SYSLOG:regular expression compilation error

Joe Clarke · ‎04-05-2012

Sadly EEM applet regexp is not as fully capable as Tcl regexp. I believe Mike's example will work in a Tcl policy. If you write up the applet you'd like in a text editor, paste it into http://www.marcuscom.com/covert_applet/ to get the Tcl version.

mtimm · ‎04-05-2012

Hmm... something in the back of my brain is telling me that we may be running into an issue where the regular expression package used is not the Tcl one for this situation. It has been a couple of years since I last looked at this code though so I can't remember. Let me spend some time looking at it again.