My Zsh shell was somehow interfering with pdbtool and the % symbols. I reran with Bash and the patterns match just fine, so I'm all good. Thanks!

Mark Shetka
Information Technology Systems & Services
University of Minnesota - Duluth
(218) 726-7682

On Wed, Jan 29, 2014 at 8:40 AM, Mark Shetka <mshetka@d.umn.edu> wrote:

I am setting up some patterns to parse Cisco syslog messages. I noticed that pdbtool will not complete if I have a "%F" anywhere in the string.

Example log message:
%FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management

This does not complete:
pdbtool match -p cisco.xml -M "%FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"

Nor does simply %F:
pdbtool match -p cisco.xml -M "%F"

It is fine without the %:
pdbtool match -p cisco.xml -M "FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"

MESSAGE=FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management

.classifier.class=login
.classifier.rule_id=5cfbcb23-cfe4-4120-85c1-918df65c0edc
usracct.username=test
usracct.device=131.212.1.1
usracct.service=22
usracct.type=login

usracct.sessionid=
usracct.application=
secevt.verdict=REJECT
TAGS=.classifier.login,usracct,secevt

It also seems to have issues with "%S", although not quite in the same way. Any ideas what could be causing this?

Mark

--
Mark Shetka
Information Technology Systems & Services
University of Minnesota - Duluth
(218) 726-7682