Testing logwatch regular expressions

Started by tickett, April 28, 2019, 10:59:50 PM

Previous topic - Next topic

tickett

I'm having a bit of a nightmare trying to configure some regular expressions (mainly because debugging is really tricky- having to keep restarting the agent, tweaking the xml, throwing some fake lines into the logfile etc etc).
Is there an easy way to test/troubleshoot my regular expressions?
I've used sites like https://regex101.com/ before, but it looks like the NetXMS engine works a little differently. https://www.regextester.com seemed to provide a slightly closer result but still not everything that works on there works in NetXMS.

Here an example of one I got working;
Error\s\|\s(.*)

Here's an example of one i'm struggling with (it's supposed to work similar to the above expression, matching anything after error but not if it contains the word timed);
Error\s\|\s(?!.*timed)(.*)

Any pointers would be great (as I say, rather somewhere I can test or a way in NetXMS I can debug more easily).
Thanks

Victor Kirhenshtein

Hi,

we are using libtre as regexp engine, their regexp syntax is described here: https://laurikari.net/tre/documentation/regex-syntax/.

There are two options for testing regexps and parsers:

1. Create simple NXSL script like below:

if ($2 match $1)
{
println "Matched";
println "  CG1 = " . $1;
println "  CG2 = " . $2;
println "  CG3 = " . $3;
println "  CG4 = " . $4;
println "  CG5 = " . $5;
}
else
{
println "Not matched";
}


and run it from command line:

victor@hp8570w ~/tmp $ /opt/netxms/bin/nxscript regex.nxsl 'Error\s(.*)' 'Error 44'
NetXMS Scripting Host  Version 3.0.1690
Copyright (c) 2005-2018 Victor Kirhenshtein

Matched
  CG1 = 44
  CG2 = Error 44
  CG3 =
  CG4 =
  CG5 =
victor@hp8570w ~/tmp $


2. Use nxlptest tool (I'm not sure though if it is included into deb packages). It allows you to run specific log parser from command line overriding trace level and file name specified in the parser. For example, if I want to test parser on my syslog I can do it like this:

/opt/netxms/bin/nxlptest -D9 -t9 -f /tmp/syslog /opt/netxms/etc/syslog_parser.xml

It will run parser from /opt/netxms/etc/syslog_parser.xml with maximum diagnostic output reading data from /tmp/syslog instead of /var/log/syslog as defined in the parser.

Best regards,
Victor

tickett

Brill thanks Victor- we are running NetXMS on Windows, so may be a little different but I will look into your suggestions.

Meanwhile I figured rather than trying to write a clever regex to exclude certain things I could create rules which don't raise events. So I have ended up with something like;

  <rules>
    <rule>
      <match>Error\s\|\sOrder\shas\stimed\sout</match>
    </rule>
    <rule>
      <match>Error\s\|\sRetrieved\sPostcode:\s;</match>
    </rule>
    <rule>
      <match>Error\s\|\s(.*)</match>
      <event>100050</event>
    </rule>
  </rules>