<div dir="ltr">My Zsh shell was somehow interfering with pdbtool and the % symbols. I reran with Bash and the patterns match just fine, so I'm all good. Thanks!<br><div class="gmail_extra"><br clear="all"><div><div dir="ltr">
<div>--</div>Mark Shetka<br>Information Technology Systems & Services<br>University of Minnesota - Duluth<br>(218) 726-7682</div></div>
<br><br><div class="gmail_quote">On Wed, Jan 29, 2014 at 8:40 AM, Mark Shetka <span dir="ltr"><<a href="mailto:mshetka@d.umn.edu" target="_blank">mshetka@d.umn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>I am setting up some patterns to parse Cisco syslog messages. I noticed that pdbtool will not complete if I have a "%F" anywhere in the string.</div>
<div><br></div><div>Example log message:</div><div>%FWSM-1-109006: Authentication failed for user 'test' from <a href="http://131.212.1.1/43250" target="_blank">131.212.1.1/43250</a> to <a href="http://10.1.1.1/22" target="_blank">10.1.1.1/22</a> on interface management<br>
</div><div><br></div><div>This does not complete:</div><div>pdbtool match -p cisco.xml -M "%FWSM-1-109006: Authentication failed for user 'test' from <a href="http://131.212.1.1/43250" target="_blank">131.212.1.1/43250</a> to <a href="http://10.1.1.1/22" target="_blank">10.1.1.1/22</a> on interface management"<br>
</div><div><br></div><div>Nor does simply %F:</div><div>pdbtool match -p cisco.xml -M "%F"<br></div><div><br></div><div>It is fine without the %:</div><div>pdbtool match -p cisco.xml -M "FWSM-1-109006: Authentication failed for user 'test' from <a href="http://131.212.1.1/43250" target="_blank">131.212.1.1/43250</a> to <a href="http://10.1.1.1/22" target="_blank">10.1.1.1/22</a> on interface management"<br>
</div><div><br></div><div><div>MESSAGE=FWSM-1-109006: Authentication failed for user 'test' from <a href="http://131.212.1.1/43250" target="_blank">131.212.1.1/43250</a> to <a href="http://10.1.1.1/22" target="_blank">10.1.1.1/22</a> on interface management</div>
<div>.classifier.class=login</div><div>.classifier.rule_id=5cfbcb23-cfe4-4120-85c1-918df65c0edc</div><div>usracct.username=test</div><div>usracct.device=131.212.1.1</div><div>usracct.service=22</div><div>usracct.type=login</div>
<div>usracct.sessionid=</div><div>usracct.application=</div><div>secevt.verdict=REJECT</div><div>TAGS=.classifier.login,usracct,secevt</div></div><div><br></div><div>It also seems to have issues with "%S", although not quite in the same way. Any ideas what could be causing this?</div>
<div><br></div><div>Mark</div><div><br></div><br clear="all"><div><div dir="ltr"><div>--</div>Mark Shetka<br>Information Technology Systems & Services<br>
University of Minnesota - Duluth<br><a href="tel:%28218%29%20726-7682" value="+12187267682" target="_blank">(218) 726-7682</a></div></div>
</div>
</blockquote></div><br></div></div>