Have inputs.conf files in multiple directories that needs to match and parse each stanza and modify the index= to index=secure. This are files type in inputs.conf and also do run the script to locate the inputs file in this dir (_GWAS_pr_linux_t1/local/inputs.conf) to modify the index
In the file
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index =
I tried with the command
sed -i -e 's/.*(?s)((\[WinEventLog:\/\/Application|Security|System|ForwardedEvents|Setup\]).*?)(?:(?:\r\n){2}) /index=window inputs.conf
to change to `index=window` for the `Application`, `Security`, `System`, `ForwardedEvents` and `Setup` entry.
In the file
[monitor:///var/log/cron]
index=
sourcetype=linux_secure
[monitor:///var/log/secure]
index=
sourcetype=linux_secure
[monitor:///var/log/messages]
index=
sourcetype=linux
[monitor:///var/log/spooler]
index =
sourcetype=syslog
[monitor:///var/log/audit/audit.log]
sourcetype=syslog
index=
[monitor:///var/log//maillog]
index=
sourcetype=syslog
I tried command
sed -i -e 's/.*(?s)((\[monitor\:\/\/\/var\/log\/messages|secure\]).*?)(?:(?:\r*\n){2})' /index=secure *linux*/local/inputs.conf
to change the `index=` line to `index=secure` for the `messages` and `secure` log.
i) Work like a charm but the only issues I'm having right now is that, the
script cannot pass through the apps directory and update the index name and
most of the apps directory name is in this form.
_EBPD_pr_linux_w1/local/inputs.conf,
_EBPD_np_linux_w1/local/inputs.conf,
_FBPV_pr_liux_e1/local/inputs.conf,
_FBPV_np_liux_e1/local/inputs.conf,
_FBPV_np_windows_e1/local/inputs.conf,
_FBPV_np_windows_e1/ocal/inputs.conf
ii) Secondly, the most important thing is that, if the app has `np` or `pr` that is how the index name will be updated. For example `index=secure_pr` or `scure_np` or `windows_pr` or `windows_np`.
iii) Another issue is that if there is an existing index name, it does not remove and update to the new index name it just adds to it. For example `index=power` is updated to `index=powersecure` instead of `index=secure`.
iv) I try these but it says "No such file or directory"
perl -00lpe '$_.="secure_np" if m,/(messages|secure|cron|maillog|spooler|audit/audit\.log)\],' *linux*/local/inputs.conf
perl -00lpe '$_.="secure_pr" if m,/(messages|secure|cron|maillog|spooler|audit/audit\.log)],' *linux*/local/inputs.conf
perl -00lpe '$_ .= "windows_pr" if m,/(Application|Security|System|ForwardedEvents|Setup)\],' *window*/local/inputs.conf
perl -00lpe '$_ .= "windows_nr" if m,/(Application|Security|System|ForwardedEvents|Setup)],' *window*/local/inputs.conf
答案1
这在 Perl 中会容易得多。可执行文件perl
具有称为“段落模式”( ) 的功能,其中“行”由两个连续字符(即空行)-00
定义。\n
这使得可以perl
使用段落而不是行。所以你可以简单地这样做:
$ perl -00pe 'if(m,^\[WinEventLog://(Application|Security|System|ForwardedEvents|Setup)\],){s/(index\s*=)\s*[^\n]*/$1 window inputs.conf\n\n/}' file1
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
和:
$ perl -00pe 'if(m,^\[monitor:///var/log/(messages|secure)\],){s/(index\s*=)\s*[^\n]*/$1 secure\n\n/}' file2
[monitor:///var/log/cron]
sourcetype=linux_secure
index=
[monitor:///var/log/secure]
sourcetype=linux_secure
index= secure
[monitor:///var/log/messages]
sourcetype=linux
index= secure
[monitor:///var/log/spooler]
sourcetype=syslog
index =
[monitor:///var/log/audit/audit.log]
sourcetype=syslog
index=
[monitor:///var/log//maillog]
sourcetype=syslog
index=
但是,由于您的文件似乎具有相当稳定的格式,因此您可以进一步简化为:
$ perl -00lpe '$_ .= "window inputs.conf" if m,//(Application|Security|System|ForwardedEvents|Setup)\],;' file1
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled =0
start_from = oldest
index = window inputs.conf
和:
$ perl -00lpe '$_.="secure" if m,/(messages|secure)\],' file2
[monitor:///var/log/cron]
sourcetype=linux_secure
index=
[monitor:///var/log/secure]
sourcetype=linux_secure
index=secure
[monitor:///var/log/messages]
sourcetype=linux
index=secure
[monitor:///var/log/spooler]
sourcetype=syslog
index =
[monitor:///var/log/audit/audit.log]
sourcetype=syslog
index=
[monitor:///var/log//maillog]
sourcetype=syslog
index=
答案2
1)对于具有许多斜杠的模式,您应该为命令使用不同的分隔符s
以使其更具可读性(那么您不需要转义斜杠)。
2)您似乎正在使用扩展正则表达式,因此您必须将该-E
选项设置为sed
3)如果您对模式的一部分使用替代字符串,则需要用()
类似的内容将其包围(messages|secure)
4) 替换部分 ( /index=window
) 需要成为脚本的一部分,而不是像参数一样被分隔开。
5) 此外,该s
命令缺少结束分隔符
6) (?s) and
(?:)` 不是正则表达式,而是 Perl 扩展,所以不要在这里使用它们。因为冒号在这里没有特殊含义,所以你不需要转义它(谢谢,@Stéphane Chazelas)
7)sed
是逐行工作的,所以你\n
永远不会匹配,直到你加入行(你不这样做)
现在我敢猜你想做什么:对于 和messages
日志secure
,将以下行更改index=
为index=secure
。正确的?
所以你的命令是s/index=/index=secure/
.但您只想将其应用于某些群体。为此,sed
有一个过滤选项,仅将命令应用于与过滤器匹配的行(或行组)。寻址要匹配的模式的一种方法。如果要寻址一系列行,请给出两个地址(起始地址和终止地址),用逗号分隔:
sed -E '\_\[WinEventLog://(Application|Security|System|ForwardedEvents|Setup)\]_,/index *=/s/index =/index = window/' inputs.conf
在第二个命令中,我可以展示如何进一步简化命令:您可以删除s
命令中的匹配模式。这意味着再次使用最后一个模式,它恰好是过滤器范围的第二个地址,因此无需重复。
您可以编写 ,而不是在替换中重复模式,&
这将插入整个匹配项:
sed -i -E '\_\[monitor:///var/log/(messages|secure)\]_,/index=/s//&secure/' *linux*/local/inputs.conf
-i
最后提示:在对结果满意之前不要使用该选项。这样你很容易弄乱你的文件,特别是当你没有使用该工具的经验时。
更新
随着更新的问题,似乎可能已经是一些index=foo
需要替换的设置。只需更改替换即可:
sed -E '/(Application|Security|System|ForwardedEvents|Setup)]/,/index *=.*/s//index = window/' inputs.conf
和
sed -i -E '/messages]|secure]/,/index *=.*/s//index=secure/' *linux*/local/inputs.conf
(terdon建议的模式的进一步简化)