Use this documentation with care! It describes the outdated version 7, which was actively developed around 2014 and is considered dead by the rsyslog team.

This documentation reflects the latest update of the v7-stable branch. It describes the 7.6.8 version, which was never released. As such, it contains some content that does not apply to any released version.

To obtain the doc that properly matches your installed v7 version, obtain the doc set from your distro. Each version of rsyslog contained the version that exactly matches it.

As general advise, it is strongly suggested to upgrade to the current version supported by the rsyslog project. The current version can always be found on the right-hand side info box on the rsyslog web site.

Note that there is only limited rsyslog community support available for the outdated v7 version (officially we do not support it at all, but we usually are able to answer simple questions). If you need to stick with v7, it probably is best to ask your distribution for support.

Property Replacer nomatch mode

The “nomatch-Mode” specifies which string the property replacer shall return if a regular expression did not find the search string.. Traditionally, the string “**NO MATCH**” was returned, but many people complained this was almost never useful. Still, this mode is support as “DFLT” for legacy configurations.

Three additional and potentially useful modes exist: in one (BLANK) a blank string is returned. This is probably useful for inserting values into databases where no value shall be inserted if the expression could not be found.

A similar mode is “ZERO” where the string “0” is returned. This is suitable for numerical values. A use case may be that you record a traffic log based on firewall rules and the “bytes transmitted” counter is extracted via a regular expression. If no “bytes transmitted” counter is available in the current message, it is probably a good idea to return an empty string, which the database layer can turn into a zero.

The other mode is “FIELD”, in which the complete field is returned. This may be useful in cases where absense of a match is considered a failure and the message that triggered it shall be logged.

If in doubt, it is highly suggested to use the rsyslog online regular expression checker and generator to see these options in action. With that online tool, you can craft regular expressions based on samples and try out the different modes.

Summary of nomatch Modes

BLANK“” (empty string)
FIELDfull content of original field
 Interactive Tool

This documentation is part of the rsyslog project. Copyright © 2008-2014 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 2 or higher.