Hi, First you should simply try a pattern like this: <pattern>@ESTRING:id_message: @</pattern> This would match your line and would extract the message id. Than you can work on extending it. Also probably the easiest option is to use the @ANYSTRING@ parser which would match everything till the end of the message. It is available in the 3.1 git tree: http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=c22ee8dad59b56b9... So your pattern would look something like this: <pattern>@ESTRING:id_message: @@ANYSTRING:rest@</pattern> In the sql statement you can than use the ${id_message} and ${rest} macros. (Note that ANYSTRING is available only in the 3.1 tree which uses the newer patterndb format!) let me know if it works. best, Marton On Tue, 2009-07-07 at 11:10 -0500, Martin Holste wrote:
Some documentation is here: http://marci.blogs.balabit.com/2009/04/intorduction-to-parser-in-syslog-ng-d... .
Try this:
<pattern>@ESTRING:id_message: @@QSTRING:msg:@</pattern>
I'm not sure about the msg part (didn't test it) but I'm sure that you want an ESTRING for the beginning since there is no starting quote char and you have special chars in what you are extracting. Marton's blog post has a lot more explanation, but in the end it will take a bit of trial and error for you to get proficient at it. It's worth it, though--the db-parser module is extremely efficient and will add a lot of depth to your analysis capabilities.
I'm working on a Javascript front-end for point-and-click creation of db-parser templates from example logs, but it won't be ready for awhile.
--Martin
On Tue, Jul 7, 2009 at 3:56 AM, Jacopo Cappelli<jacopo89@gmail.com> wrote:
I can't understand how work db-parser, i want to parse a string: m-56767-1333854 79.127.28.54 <mfdesigner@diggitgraphics.com> MessageScore is now 30, after adding 30 (Suspicious HELO - contains IP: '[79.127.28.54]')
I wanto to have m-56767-1333854 on $ID_MESSAGE and 79.127.28.54 <mfdesigner@diggitgraphics.com> MessageScore is now 30, after adding 30 (Suspicious HELO - contains IP: '[79.127.28.54]') on $MSG
i try with:
<patterndb> <ruleset name='assp'> <pattern>assp</pattern> <rules> <rule provider='balabit' id='1' class='system'> <patterns> <pattern>@QSTRING:id_message: @ @QSTRING:msg@</pattern> </patterns> </rule> </rules> </ruleset> </patterndb>
But i have the field on db empty. I read link about db-parser usage but i can't resolve...
Thanks, Jacopo -- Linux, Windows Xp ed MS-DOS (anche conosciuti come il Bello, il Brutto ed il Cattivo). -- Matt Welsh ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D