[syslog-ng] Optional Parser Type Match
Balazs Scheidler
bazsi77 at gmail.com
Sun Jul 6 19:10:07 CEST 2014
In general, db-parser() uses a quite low-level representation, so you need
to use multiple rules to match
these messages.
I was already thinking about creating a bit high(er) level tool, that could
generate some of the rules (instead of working with the xml directly), but
never got around to do that.
On Sat, Jul 5, 2014 at 6:15 PM, Michael Starks <
syslog-ng-list at michaelstarks.com> wrote:
> Can a parser type be made to optionally match? For example, given the
> message of 'DROP IN=vlan2 OUT=
> MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4
> DST=172.16.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=61318 PROTO=TCP
> SPT=443 DPT=45872 SEQ=1548679084 ACK=0 WINDOW=0 RES=0x00 RST URGP' OUT=
> may or may not be defined. I would like to match it if it exists with a
> parser and maybe just set it to nul if it doesn't exist.
>
> Similarly, in this message: 'DROP IN=vlan2 OUT=
> MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4
> DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=3265 DF PROTO=TCP
> SPT=443 DPT=44616 SEQ=880418731 ACK=0 WINDOW=0 RES=0x00 RST UR' the DF
> field sometimes exists and sometimes doesn't.
>
> Whenever I define something like 'DROP IN=@ESTRING:s1: @OUT=@ESTRING:s0:
> @' the OUT= string doesn't match if there is no value.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
--
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140706/8ae7157c/attachment.htm
More information about the syslog-ng
mailing list