Here are a couple of db-parser patterns I've been using for FWSM's: <program name='FWSM'> <pattern>%FWSM</pattern> <rule id='2' class='2'> <pattern>Deny@QSTRING:FIREWALL.proto: @src@QSTRING:FIREWALL.o_int: :@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport:@ dst@QSTRING:FIREWALL.i_int: :@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport:@ by access-group @QSTRING:FIREWALL.access_group:"@</pattern> </rule> <rule id='3' class='3'> <pattern>Teardown@QSTRING:FIREWALL.proto: @connection @NUMBER::@ for@QSTRING:FIREWALL.o_int: :@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport@ to@QSTRING:FIREWALL.i_int: :@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport@ duration@QSTRING:FIREWALL.conn_duration: @bytes @NUMBER:FIREWALL.conn_bytes:@</pattern> </rule> </program> These are using the 3.0.1 syntax, I haven't updated to use the 3.1 syntax. Rule 2 is for FWSM denies, rule 3 is for FWSM connection teardowns. Hope that helps. --Martin On Fri, Jun 26, 2009 at 3:24 AM, Balazs Scheidler<bazsi@balabit.hu> wrote:
On Fri, 2009-06-26 at 10:14 +0200, Henk van Lingen wrote:
Hi,
Is is possible to change the message text before it is inserted into a database?
I have syslog-ng-3.0.2 running and it does insert the messages directly into a PostgreSQL database, using the new sql(type(pgsql) destination feature.
The problem is I have lots of cisco firewall loggings, and in the database I have of gin index for doing full text searching. For this index, the database decomposes the message into tokens. I want to be able to search on IP-numbers. However, in lines like
world/123.456.192.46(0) -> some-fwsm/123.456.221.121(0)
this won't work because the tokens are world/123.456.192.46 and /123.456.192.46, not 123.456.192.46.
To solve the prob it would be nice if there is a way to replace the slashes with spaces before the message goes to the database.
You could perhaps be interested in the new db-parser() feature, see the related blog posts about that.
To simply replace '/' with ' ' is quite easy:
rewrite r_replace_slashes { subst(' ', '/' flags(global)); };
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html