Hello,
I made custom patterns like that:
SMDPROG (systemd|systemd\-logint|Systemd\-logint)
SMDSESSIONNUM \b(?:[1-9][0-9]*)\b
SMDUSER [A-Za-z]{1,20}([.][A-Za-z]{0,20})?
SMDACTION1 ([A-Za-z]{1,9}([.]?))
SMDACTION2 ([A-Za-z]{13,13}\s[A-Za-z]{1,4}\s(\/[a-z]{1,10}\/[a-z]{1,10}\/[a-z]{1,10}\/[a-z]{1,10}\/[a-z]{1,10}\.[a-z]{1,10})\s[A-Za-z]{1,2}\s[A-Za-z]{6,6}\s[A-Za-z]{5,5}\-[A-Za-z]{12,12}[.]\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}\s[A-Za-z]{1,20}[.]\s([A-Za-z]{1,20}\s[A-Za-z]{1,20})[.])
SMDACTION (%{SMDACTION1}|%{SMDACTION2})
SMDEXECTYPE1 ([A-Za-z]{7,7}\s[A-Za-z]{2,2}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}[.])
SMDEXECTYPE2 ([A-Za-z]{7,7}\s%{SMDSESSIONNUM:smd_sess_num}(\s[A-Za-z]{2,2}\s[A-Za-z]{4,4}\s%{SMDUSER:smd_user}[.]?))
SMDEXECTYPE3 ([A-Za-z]{4,4}\-[0-9][.][A-Za-z]{5,5}[.])
SMDEXECTYPE4 ([A-Za-z]{0,20}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}\s[A-Za-z]{0,20}([.][.][.]))
SMDEXECTYPE (%{SMDEXECTYPE1}|%{SMDEXECTYPE2}|%{SMDEXECTYPE3}|%{SMDEXECTYPE4})
My filter match looks like that:
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SMDPROG:syslog_program}?: %{SMDACTION:smd_action} %{SMDEXECTYPE:smd_exec}
For some reason logs like that aren't getting parsed.
May 11 12:42:12 node1 systemd: Reloading.
But logs like that are parsed ok:
May 11 12:42:12 node1 systemd: Satrted user root.
I need both types to be parsed, not just one. As far as I can get, the problem is that when the former log is being parsed, %{SMDEXECTYPE:smd_exec} cannot be found and that is why something is wrong. Is it possible to make the %{SMDEXECTYPE:smd_exec} optional somehow without making latter log parse in a wrong way?
P.S. I tried (%{SMDEXECTYPE:smd_exec})?, but for some reason my first log still does't get parsed.