<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><span class="Apple-style-span" style="font-size: 11px;"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 11px/normal Helvetica; "><b>@ESTRING@</b>: This parser has a required parameter that acts as the stopcharacter: the parser parses</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 11px/normal Helvetica; ">everything until it finds the stopcharacter. For example to stop by the next <span style="font: 10.0px Helvetica">" </span>(double quote) character,</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 11px/normal Helvetica; ">use <span style="font: 10.0px Helvetica">@ESTRING::"@</span>. To stop by a colon (:), the colon has to be escaped with another colon, like:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 11px/normal Helvetica; "><span style="font: 10.0px Helvetica">@ESTRING::::@</span>. As of syslog-ng 3.1, it is possible to specify a stopstring instead of a single character,</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 11px/normal Helvetica; ">for example, <span style="font: 10.0px Helvetica">@ESTRING::stop_here.@</span>. The <span style="font: 10.0px Helvetica">@ </span>character cannot be a stopcharacter, nor can linebreaks</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 11px/normal Helvetica; ">or tabs.</div></span><div><div><br></div><div>What I am finding odd is I am also trying other strings such as space, dash, number, and even a stop string without any success. This one has me stumped </div><div><br></div><div><br></div><div>On Feb 11, 2012, at 6:28 PM, Evan Rempel wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>It may be because you are trying to ESTRING with a colen (:)<br><br>I don't have the docs in front of me, but there should be some special syntax to ESTRING with a colen (:).<br><br>________________________________________<br>From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Chris Johnson [masterof0@gmail.com]<br>Sent: Saturday, February 11, 2012 6:16 PM<br>To: Syslog-ng users' and developers' mailing list<br>Subject: Re: [syslog-ng] Cant get pattern matching to work<br><br>Thanks for the feedback. One thing I noticed is that your pattern definition is inside the ruleset which was an initial error on my part. Now that is fixed and I still had the same challenge. Based on some trouble shooting, I have narrowed it down to the ESTRING definition. No matter what I try with the ESTRING definition, I cannot get it to work. If I do an exact pattern match, such as RT_FLOW_SESSION_CLOSE and remove the ESTRING defntion, everything works as expected.<br><br>Thoughts?<br><br>Chris<br><br>On Feb 11, 2012, at 5:12 PM, Evan Rempel wrote:<br><br><blockquote type="cite">you need to have a pattern for your ruleset, which will match the $program macro.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><patterndb version='3' pub_date='2011-02-11'><br></blockquote><blockquote type="cite"> <ruleset name='session_close' id='123456678'><br></blockquote><blockquote type="cite"> <pattern>RT_FLOW</pattern><br></blockquote><blockquote type="cite"> <rules><br></blockquote><blockquote type="cite"> <rule provider='cj' id='182437592347598' class='session'><br></blockquote><blockquote type="cite"> <patterns><br></blockquote><blockquote type="cite"> <pattern>@ESTRING:TEST1:::@ @ANYSTRING:TEST2@</pattern><br></blockquote><blockquote type="cite"> </patterns><br></blockquote><blockquote type="cite"> </rule><br></blockquote><blockquote type="cite"> </rules><br></blockquote><blockquote type="cite"> </ruleset><br></blockquote><blockquote type="cite"></patterndb><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Then TEST1 should be<br></blockquote><blockquote type="cite">RT_FLOW_SESSION_CLOSE<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">and TEST2 should be<br></blockquote><blockquote type="cite">session closed unset: 192.168.199.253/55189->8.8.8.8/53 junos-dns-udp X.X.X.X/60836->8.8.8.8/53 source-nat-rule None 17 trust-to-untrust trust untrust 30455 1(83) 1(83) 2 N/A N/A N/A(N/A) vlan.0<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">home that helps.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Evan.<br></blockquote><blockquote type="cite">________________________________________<br></blockquote><blockquote type="cite">From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [syslog-ng-bounces@lists.balabit.hu] On Behalf Of Chris Johnson [masterof0@gmail.com]<br></blockquote><blockquote type="cite">Sent: Saturday, February 11, 2012 4:44 PM<br></blockquote><blockquote type="cite">To: Syslog-ng and developers' mailing list users'<br></blockquote><blockquote type="cite">Subject: [syslog-ng] Cant get pattern matching to work<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Sorry for bombarding the mailing list with questions. I have been working through the documentation but just seem to keep hitting obstacles. I have compared this to the examples in the manual and some samples I was able to track down, but Im not seeing where I am going wrong. For this question, I am working with the following data:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">"MESSAGE" : "RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.199.253/55189->8.8.8.8/53 junos-dns-udp X.X.X.X/60836->8.8.8.8/53 source-nat-rule None 17 trust-to-untrust trust untrust 30455 1(83) 1(83) 2 N/A N/A N/A(N/A) vlan.0",<br></blockquote><blockquote type="cite">"PROGRAM" : "RT_FLOW"<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Based on this , I have generated the following pattern database and config just to see if I am heading down the right path. Unfortunately, what I thought would generate a pattern match on the logs and generate the appropriate macros, are not retuning anything. I have also tried taking out the $PROGRAM patter, but that did not seem to help. I have also validated this with pdbtool and it succeeds.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Any help is greatly appreciated<br></blockquote><blockquote type="cite">Chris<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">patterndb.xml<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><patterndb version='3' pub_date='2011-02-11'><br></blockquote><blockquote type="cite"><ruleset name='session_close' id='123456678'><br></blockquote><blockquote type="cite"><rules><br></blockquote><blockquote type="cite"><rule provider='cj' id='182437592347598' class='session'><br></blockquote><blockquote type="cite"><patterns><br></blockquote><blockquote type="cite"><pattern><br></blockquote><blockquote type="cite">@ESTRING:TEST1:::@ @ANYSTRING:TEST2@<br></blockquote><blockquote type="cite"></pattern><br></blockquote><blockquote type="cite"></patterns><br></blockquote><blockquote type="cite"></rule><br></blockquote><blockquote type="cite"></rules><br></blockquote><blockquote type="cite"></ruleset><br></blockquote><blockquote type="cite"></patterndb><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">syslog-ng.conf<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">#####Destinations#####<br></blockquote><blockquote type="cite">destination d_mongodb {<br></blockquote><blockquote type="cite"> mongodb(<br></blockquote><blockquote type="cite"> value-pairs(<br></blockquote><blockquote type="cite"> key("TEST1")<br></blockquote><blockquote type="cite"> key("TEST2")<br></blockquote><blockquote type="cite"> scope("base")<br></blockquote><blockquote type="cite"> )<br></blockquote><blockquote type="cite"> );<br></blockquote><blockquote type="cite">};<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">#####Parser#####<br></blockquote><blockquote type="cite">parser pattern_db {<br></blockquote><blockquote type="cite"> db_parser(<br></blockquote><blockquote type="cite"> file("/usr/local/etc/patterndb.xml")<br></blockquote><blockquote type="cite"> );<br></blockquote><blockquote type="cite">};<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">#####Log#####<br></blockquote><blockquote type="cite">log {<br></blockquote><blockquote type="cite"> source(s_network);<br></blockquote><blockquote type="cite"> parser(pattern_db);<br></blockquote><blockquote type="cite"> destination(d_mongodb);<br></blockquote><blockquote type="cite">};<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Unfortunately, what I thought would pattern match and generate a macro for<br></blockquote><blockquote type="cite">______________________________________________________________________________<br></blockquote><blockquote type="cite">Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br></blockquote><blockquote type="cite">Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br></blockquote><blockquote type="cite">FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br></blockquote><blockquote type="cite"><br></blockquote><br>______________________________________________________________________________<br>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br><br>______________________________________________________________________________<br>Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br><br></div></blockquote></div><br></div></body></html>