Hello CzP, Unfortunately I think it might be forbidden. @STRING@: A sequence of alphanumeric characters (0-9, A-z), not including any whitespace. Optionally, other accepted characters can be listed as parameters (e.g., to parse a complete sentence, add the whitespace as parameter, like: @STRING:: @). Note that the @ character cannot be a parameter, nor can line-breaks or tabs. http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guid... The documentation is confusing because the restriction is only listed for @STRING@ but seems like it applies to everything from my experience. It would be good if this could be fixed somehow. Matthew. On Thu, Sep 30, 2010 at 02:38:55PM +0200, Peter Czanik wrote:
Hello,
I'm trying to create a pattern, and ran into an interesting problem: I can't use @ with QSTRING as beginning character. Example:
<patterns> <pattern>(?@QSTRING:usracct.device:@@)@ [INFO] Anonymous user logged in</pattern> </patterns> <examples> <example> <test_message program="pure-ftpd">(?@192.168.2.52) [INFO] Anonymous user logged in</test_message> <test_values> <test_value name="usracct.device">192.168.2.52</test_value> </test_values> </example> </examples>
But when I test it, pdbtool says:
Unknown parser type specified; type=')' Testing message program='pure-ftpd' message='(?@192.168.2.52) [INFO] Anonymous user logged in' Wrong match name='.classifier.rule_id', value='', expected='ef75e712-5e9e-4ca0-a614-5e1bf512286b' Wrong match name='usracct.device', value='', expected='192.168.2.52'
I changed it to:
<pattern>(?@@@ESTRING:usracct.device:)@ [INFO] Anonymous user logged in</pattern>
Which works, but I'm still curious, if @ should work as a quotation character.
Bye,
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html