NetXMS Support Forum

English Support => General Support => Topic started by: tickett on April 28, 2019, 10:59:50 PM

Title: Testing logwatch regular expressions
Post by: tickett on April 28, 2019, 10:59:50 PM
I'm having a bit of a nightmare trying to configure some regular expressions (mainly because debugging is really tricky- having to keep restarting the agent, tweaking the xml, throwing some fake lines into the logfile etc etc).
Is there an easy way to test/troubleshoot my regular expressions?
I've used sites like https://regex101.com/ before, but it looks like the NetXMS engine works a little differently. https://www.regextester.com seemed to provide a slightly closer result but still not everything that works on there works in NetXMS.

Here an example of one I got working;
Error\s\|\s(.*)

Here's an example of one i'm struggling with (it's supposed to work similar to the above expression, matching anything after error but not if it contains the word timed);
Error\s\|\s(?!.*timed)(.*)

Any pointers would be great (as I say, rather somewhere I can test or a way in NetXMS I can debug more easily).
Thanks
Title: Re: Testing logwatch regular expressions
Post by: Victor Kirhenshtein on April 29, 2019, 11:34:05 AM
Hi,

we are using libtre as regexp engine, their regexp syntax is described here: https://laurikari.net/tre/documentation/regex-syntax/ (https://laurikari.net/tre/documentation/regex-syntax/).

There are two options for testing regexps and parsers:

1. Create simple NXSL script like below:

if ($2 match $1)
{
println "Matched";
println "  CG1 = " . $1;
println "  CG2 = " . $2;
println "  CG3 = " . $3;
println "  CG4 = " . $4;
println "  CG5 = " . $5;
}
else
{
println "Not matched";
}


and run it from command line:

victor@hp8570w ~/tmp $ /opt/netxms/bin/nxscript regex.nxsl 'Error\s(.*)' 'Error 44'
NetXMS Scripting Host  Version 3.0.1690
Copyright (c) 2005-2018 Victor Kirhenshtein

Matched
  CG1 = 44
  CG2 = Error 44
  CG3 =
  CG4 =
  CG5 =
victor@hp8570w ~/tmp $


2. Use nxlptest tool (I'm not sure though if it is included into deb packages). It allows you to run specific log parser from command line overriding trace level and file name specified in the parser. For example, if I want to test parser on my syslog I can do it like this:

/opt/netxms/bin/nxlptest -D9 -t9 -f /tmp/syslog /opt/netxms/etc/syslog_parser.xml

It will run parser from /opt/netxms/etc/syslog_parser.xml with maximum diagnostic output reading data from /tmp/syslog instead of /var/log/syslog as defined in the parser.

Best regards,
Victor
Title: Re: Testing logwatch regular expressions
Post by: tickett on April 29, 2019, 06:29:06 PM
Brill thanks Victor- we are running NetXMS on Windows, so may be a little different but I will look into your suggestions.

Meanwhile I figured rather than trying to write a clever regex to exclude certain things I could create rules which don't raise events. So I have ended up with something like;

  <rules>
    <rule>
      <match>Error\s\|\sOrder\shas\stimed\sout</match>
    </rule>
    <rule>
      <match>Error\s\|\sRetrieved\sPostcode:\s;</match>
    </rule>
    <rule>
      <match>Error\s\|\s(.*)</match>
      <event>100050</event>
    </rule>
  </rules>