On Fri, 2010-07-23 at 11:45 +0200, Ilas, Yann wrote:
Hello,
I have another question (the last of the day ?) about db parser. In fact, my question is about the QSTRING. I'm not sur to understand how to use it.
I follow the example given here (http://marci.blogs.balabit.com/2009/04/intorduction-to-parser-in-syslog-ng-d...) but it doesn't seem to work.
Here is my xml file :
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='3' pub_date='2010-07-23'>
<ruleset name='test' id='yann-test'>
<description>Programme : test</description>
<pattern>test</pattern>
<rules>
<rule provider='yann' id='123456789' class='system'>
<patterns>
<pattern>@QSTRING:message:<>@ Message message message</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>
I try to test a message by using the pdbtool :
$ /opt/syslog-ng/bin/pdbtool match -p /tmp/syslog-ng.xml -P test -M "<123> Message message message"
Key contains '@' without escaping; key='@QSTRING:message:', value='123456789'
Error parsing pattern database file; filename='/tmp/syslog-ng.xml', error='Error on line 9 char 38: \'>\' is not a valid character following a \'<\' character; it may not begin an element name'
...and I obtain this error.
What's wrong with the message or the use of QSTRING ?
I replaced '<>' by "'" (simple quote) and it works…
Again, you need to use <> -- Bazsi