In the following Fixlet:
not exists 1 whose ((0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex “^\s**.*\s+@”) of it) of it, “^\s**.*\s+@”, 1) of it) of files “/etc/rsyslog.conf” or 0 = number of packages “rsyslog” of rpm))
I am wanting to change the regex “^\s**.*\s+@” to look for "authpriv." to be compliant. I have tried the following with no results:
^\s^authpriv.*\s+@
^\s*[a-zA-Z]*.*\s+@
That regex would match as follows… ^ - start of a line \s* - any number of spaces (including 0) \^ - the literal carat ^ symbol (why is this here?) authpriv.* - the literal string "authpriv" followed by anything \s+ - at least one, and possibly more, whitespace characters @ - the literal "@" symbol
I’ve tried ^\s*^authpriv.\s+@ with no success. Using ^\s[a-zA-Z].\s+@ I have found some success. Not sure as to why the second Regex works and the first does not.
The second regex would match lines that send a log to a remote syslog host, even if that is not an authpriv log.
Can you post your full relevance statement?
not exists 1 whose ((0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex “^\s*^authpriv.*\s+@”) of it) of it, “^\s*^authpriv.*\s+@”, 1) of it) of files “/etc/rsyslog.conf” or 0 = number of packages “rsyslog” of rpm))
It’s just the “Ensure rsyslog is configured to send logs to a remote log host” fixlet with the regex changed.
… still have to remove the “^” in the authpriv regex…
The regex “|” throws an error on mine (though I’m using the Windows version of QNA, not sure whether the regex evaluator is different on Linux)
q: exists matches (regex "|") of lines of files "c:\temp\rsyslog.conf"
E: The expression could not be evaluated: Regex Error - Empty expression.
q: exists matches (regex "[|]") of lines of files "c:\temp\rsyslog.conf"
A: True
T: 0.473 ms
I: singular boolean
q: lines of files "c:\temp\rsyslog.conf"
A: #authpriv.* /var/log/secure
A: authpriv.* |@@server.domain.com:10514
Based on my short test, I believe that changing that regex looking for the pipe character gives the expected result:
q: not exists 1 whose ((0 < number of ((it, (if exists it then concatenation "," of substrings separated by "" of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by "" of concatenation "" of substrings separated by "," of concatenation "" of (if exist matches (regex "[|]") of it then error "Delimiter in string: |" else it) of lines whose (exist matches (regex "^\s*authpriv.*\s+@") of it) of it, "^\s*authpriv.*\s+@", 1) of it) of files "c:\temp\rsyslog.conf" ))
The | character has a special meaning in a regex pattern
Escape it and the expression works
q: exists matches (regex "|") of "ABC|DEF"
E: The expression could not be evaluated: Regex Error - Empty expression.
q: exists matches (regex "\|") of "ABC|DEF"
A: True