Have inputs.conf files in multiple directories that needs to match and parse each stanza and modify the index= to index=secure. This are files type in inputs.conf and also do run the script to locate the inputs file in this dir (_GWAS_pr_linux_t1/local/inputs.conf) to modify the index
In the file
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
I tried with the command
sed -i -e 's/.*(?s)((\[WinEventLog:\/\/Application|Security|System|ForwardedEvents|Setup\]).*?)(?:(?:\r\n){2}) /index=window inputs.conf
to change to `index=window` for the `Application`, `Security`, `System`, `ForwardedEvents` and `Setup` entry.
In the file
[monitor:///var/log/cron]
index=
sourcetype=linux_secure
[monitor:///var/log/secure]
index=
sourcetype=linux_secure
[monitor:///var/log/messages]
index=
sourcetype=linux
[monitor:///var/log/spooler]
index =
sourcetype=syslog
[monitor:///var/log/audit/audit.log]
sourcetype=syslog
index=
[monitor:///var/log//maillog]
index=
sourcetype=syslog
I tried command
sed -i -e 's/.*(?s)((\[monitor\:\/\/\/var\/log\/messages|secure\]).*?)(?:(?:\r*\n){2})' /index=secure *linux*/local/inputs.conf
to change the `index=` line to `index=secure` for the `messages` and `secure` log.
i) Work like a charm but the only issues I'm having right now is that, the
script cannot pass through the apps directory and update the index name and
most of the apps directory name is in this form.
_EBPD_pr_linux_w1/local/inputs.conf,
_EBPD_np_linux_w1/local/inputs.conf,
_FBPV_pr_liux_e1/local/inputs.conf,
_FBPV_np_liux_e1/local/inputs.conf,
_FBPV_np_windows_e1/local/inputs.conf,
_FBPV_np_windows_e1/ocal/inputs.conf
ii) Secondly, the most important thing is that, if the app has `np` or `pr` that is how the index name will be updated. For example `index=secure_pr` or `scure_np` or `windows_pr` or `windows_np`.
iii) Another issue is that if there is an existing index name, it does not remove and update to the new index name it just adds to it. For example `index=power` is updated to `index=powersecure` instead of `index=secure`.
iv) I try these but it says "No such file or directory"
perl -00lpe '$_.="secure_np" if m,/(messages|secure|cron|maillog|spooler|audit/audit\.log)\],' *linux*/local/inputs.conf
perl -00lpe '$_.="secure_pr" if m,/(messages|secure|cron|maillog|spooler|audit/audit\.log)],' *linux*/local/inputs.conf
perl -00lpe '$_ .= "windows_pr" if m,/(Application|Security|System|ForwardedEvents|Setup)\],' *window*/local/inputs.conf
perl -00lpe '$_ .= "windows_nr" if m,/(Application|Security|System|ForwardedEvents|Setup)],' *window*/local/inputs.conf
答案1
這在 Perl 中會容易得多。可執行檔perl
具有稱為「段落模式」( ) 的功能,其中「行」由兩個連續字元(即空白行)-00
定義。\n
這使得可以perl
使用段落而不是行。所以你可以簡單地這樣做:
$ perl -00pe 'if(m,^\[WinEventLog://(Application|Security|System|ForwardedEvents|Setup)\],){s/(index\s*=)\s*[^\n]*/$1 window inputs.conf\n\n/}' file1
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
和:
$ perl -00pe 'if(m,^\[monitor:///var/log/(messages|secure)\],){s/(index\s*=)\s*[^\n]*/$1 secure\n\n/}' file2
[monitor:///var/log/cron]
sourcetype=linux_secure
index=
[monitor:///var/log/secure]
sourcetype=linux_secure
index= secure
[monitor:///var/log/messages]
sourcetype=linux
index= secure
[monitor:///var/log/spooler]
sourcetype=syslog
index =
[monitor:///var/log/audit/audit.log]
sourcetype=syslog
index=
[monitor:///var/log//maillog]
sourcetype=syslog
index=
但是,由於您的文件似乎具有相當穩定的格式,因此您可以進一步簡化為:
$ perl -00lpe '$_ .= "window inputs.conf" if m,//(Application|Security|System|ForwardedEvents|Setup)\],;' file1
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
和:
$ perl -00lpe '$_.="secure" if m,/(messages|secure)\],' file2
[monitor:///var/log/cron]
sourcetype=linux_secure
index=
[monitor:///var/log/secure]
sourcetype=linux_secure
index=secure
[monitor:///var/log/messages]
sourcetype=linux
index=secure
[monitor:///var/log/spooler]
sourcetype=syslog
index =
[monitor:///var/log/audit/audit.log]
sourcetype=syslog
index=
[monitor:///var/log//maillog]
sourcetype=syslog
index=
答案2
1)對於具有許多斜線的模式,您應該為命令使用不同的分隔符號s
以使其更具可讀性(那麼您不需要轉義斜線)。
2)您似乎正在使用擴展正則表達式,因此您必須將該-E
選項設為sed
3)如果您對模式的一部分使用替代字串,則需要用()
類似的內容將其包圍(messages|secure)
4) 替換部分 ( /index=window
) 需要成為腳本的一部分,而不是像參數一樣被分隔開。
5) 此外,該s
指令缺少結束分隔符
6) (?s) and
(?:)` 不是正規表示式,而是 Perl 擴展,所以不要在這裡使用它們。因為冒號在這裡沒有特殊意義,所以你不需要轉義它(謝謝,@Stéphane Chazelas)
7)sed
是逐行工作的,所以你\n
永遠不會匹配,直到你加入行(你不這樣做)
現在我敢猜你想做什麼:對於 和messages
日誌secure
,將以下行更改index=
為index=secure
。正確的?
所以你的命令是s/index=/index=secure/
.但您只想將其應用於某些群體。為此,sed
有一個過濾選項,僅將命令應用於與過濾器匹配的行(或行組)。尋址要匹配的模式的一種方法。如果要尋址一系列行,請給予兩個位址(起始位址和終止位址),用逗號分隔:
sed -E '\_\[WinEventLog://(Application|Security|System|ForwardedEvents|Setup)\]_,/index *=/s/index =/index = window/' inputs.conf
在第二個命令中,我可以展示如何進一步簡化命令:您可以刪除s
命令中的匹配模式。這意味著再次使用最後一個模式,它恰好是過濾器範圍的第二個位址,因此無需重複。
您可以編寫 ,而不是在替換中重複模式,&
這將插入整個匹配項:
sed -i -E '\_\[monitor:///var/log/(messages|secure)\]_,/index=/s//&secure/' *linux*/local/inputs.conf
-i
最後提示:在對結果滿意之前不要使用該選項。這樣你很容易弄亂你的文件,特別是當你沒有使用該工具的經驗時。
更新
隨著更新的問題,似乎可能已經是一些index=foo
需要替換的設定。只需更改替換即可:
sed -E '/(Application|Security|System|ForwardedEvents|Setup)]/,/index *=.*/s//index = window/' inputs.conf
和
sed -i -E '/messages]|secure]/,/index *=.*/s//index=secure/' *linux*/local/inputs.conf
(terdon建議的模式的進一步簡化)