[syslog-ng] Issue with pdbtool patterndb and percent symbols

[Mark Shetka]

My Zsh shell was somehow interfering with pdbtool and the % symbols.  I
reran with Bash and the patterns match just fine, so I'm all good.  Thanks!

--
Mark Shetka
Information Technology Systems & Services
University of Minnesota - Duluth
(218) 726-7682


On Wed, Jan 29, 2014 at 8:40 AM, Mark Shetka <mshetka at d.umn.edu> wrote:

> I am setting up some patterns to parse Cisco syslog messages.  I noticed
> that pdbtool will not complete if I have a "%F" anywhere in the string.
>
> Example log message:
> %FWSM-1-109006: Authentication failed for user 'test' from
> 131.212.1.1/43250 to 10.1.1.1/22 on interface management
>
> This does not complete:
> pdbtool match -p cisco.xml -M "%FWSM-1-109006: Authentication failed for
> user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"
>
> Nor does simply %F:
> pdbtool match -p cisco.xml -M "%F"
>
> It is fine without the %:
> pdbtool match -p cisco.xml -M "FWSM-1-109006: Authentication failed for
> user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"
>
> MESSAGE=FWSM-1-109006: Authentication failed for user 'test' from
> 131.212.1.1/43250 to 10.1.1.1/22 on interface management
> .classifier.class=login
> .classifier.rule_id=5cfbcb23-cfe4-4120-85c1-918df65c0edc
> usracct.username=test
> usracct.device=131.212.1.1
> usracct.service=22
> usracct.type=login
> usracct.sessionid=
> usracct.application=
> secevt.verdict=REJECT
> TAGS=.classifier.login,usracct,secevt
>
> It also seems to have issues with "%S", although not quite in the same
> way.   Any ideas what could be causing this?
>
> Mark
>
>
> --
> Mark Shetka
> Information Technology Systems & Services
> University of Minnesota - Duluth
> (218) 726-7682
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140129/af4e4523/attachment.htm