<div dir="ltr"><div><div>In general, db-parser() uses a quite low-level representation, so you need to use multiple rules to match<br></div>these messages.<br><br></div>I was already thinking about creating a bit high(er) level tool, that could generate some of the rules (instead of working with the xml directly), but never got around to do that.<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Jul 5, 2014 at 6:15 PM, Michael Starks <span dir="ltr"><<a href="mailto:syslog-ng-list@michaelstarks.com" target="_blank">syslog-ng-list@michaelstarks.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Can a parser type be made to optionally match? For example, given the<br>
message of 'DROP IN=vlan2 OUT=<br>
MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4<br>
DST=172.16.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=61318 PROTO=TCP<br>
SPT=443 DPT=45872 SEQ=1548679084 ACK=0 WINDOW=0 RES=0x00 RST URGP' OUT=<br>
may or may not be defined. I would like to match it if it exists with a<br>
parser and maybe just set it to nul if it doesn't exist.<br>
<br>
Similarly, in this message: 'DROP IN=vlan2 OUT=<br>
MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4<br>
DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=3265 DF PROTO=TCP<br>
SPT=443 DPT=44616 SEQ=880418731 ACK=0 WINDOW=0 RES=0x00 RST UR' the DF<br>
field sometimes exists and sometimes doesn't.<br>
<br>
Whenever I define something like 'DROP IN=@ESTRING:s1: @OUT=@ESTRING:s0:<br>
@' the OUT= string doesn't match if there is no value.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br>Bazsi
</div></div>