[syslog-ng] Forward slashes in QSTRING
Michael Starks
syslog-ng-list at michaelstarks.com
Sun Jun 17 19:43:59 CEST 2012
Is it possible to use a / as a delimiter in QSTRING? The documentation
seems to permit it, but my pattern doesn't work. Here's the pattern:
<pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@
Location: @QSTRING:s1:()@ @IPv4:i2:@->syscheck; Integrity checksum
changed for: @QSTRING:s4:/'@</pattern>
And here's the string I want to match on:
Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location:
(agentname) 172.16.0.1->syscheck; Integrity checksum changed for:
'/etc/fstab'
The idea is to extract only 'fstab' (without the quotes). I have also
tried 0x2f in place of / with similar results, and various attempts at
escaping it have failed. Thanks.
More information about the syslog-ng
mailing list