My Zsh shell was somehow interfering with pdbtool and the % symbols. I reran with Bash and the patterns match just fine, so I'm all good. Thanks! -- Mark Shetka Information Technology Systems & Services University of Minnesota - Duluth (218) 726-7682 On Wed, Jan 29, 2014 at 8:40 AM, Mark Shetka <mshetka@d.umn.edu> wrote:
I am setting up some patterns to parse Cisco syslog messages. I noticed that pdbtool will not complete if I have a "%F" anywhere in the string.
Example log message: %FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management
This does not complete: pdbtool match -p cisco.xml -M "%FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"
Nor does simply %F: pdbtool match -p cisco.xml -M "%F"
It is fine without the %: pdbtool match -p cisco.xml -M "FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"
MESSAGE=FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management .classifier.class=login .classifier.rule_id=5cfbcb23-cfe4-4120-85c1-918df65c0edc usracct.username=test usracct.device=131.212.1.1 usracct.service=22 usracct.type=login usracct.sessionid= usracct.application= secevt.verdict=REJECT TAGS=.classifier.login,usracct,secevt
It also seems to have issues with "%S", although not quite in the same way. Any ideas what could be causing this?
Mark
-- Mark Shetka Information Technology Systems & Services University of Minnesota - Duluth (218) 726-7682