There is something in my configuration because with your string not log the id... parser p_assp { # db-parser(file("/opt/syslog-ng/etc/patterndb.xml")); db-parser(); }; I try twice but not work. log { ... ... parser(p_assp); ... }; Thanks, Jacopo 2009/7/7 Martin Holste <mcholste@gmail.com>:
Some documentation is here: http://marci.blogs.balabit.com/2009/04/intorduction-to-parser-in-syslog-ng-d... .
Try this:
<pattern>@ESTRING:id_message: @@QSTRING:msg:@</pattern>
I'm not sure about the msg part (didn't test it) but I'm sure that you want an ESTRING for the beginning since there is no starting quote char and you have special chars in what you are extracting. Marton's blog post has a lot more explanation, but in the end it will take a bit of trial and error for you to get proficient at it. It's worth it, though--the db-parser module is extremely efficient and will add a lot of depth to your analysis capabilities.
I'm working on a Javascript front-end for point-and-click creation of db-parser templates from example logs, but it won't be ready for awhile.
--Martin
On Tue, Jul 7, 2009 at 3:56 AM, Jacopo Cappelli<jacopo89@gmail.com> wrote:
I can't understand how work db-parser, i want to parse a string: m-56767-1333854 79.127.28.54 <mfdesigner@diggitgraphics.com> MessageScore is now 30, after adding 30 (Suspicious HELO - contains IP: '[79.127.28.54]')
I wanto to have m-56767-1333854 on $ID_MESSAGE and 79.127.28.54 <mfdesigner@diggitgraphics.com> MessageScore is now 30, after adding 30 (Suspicious HELO - contains IP: '[79.127.28.54]') on $MSG
i try with:
<patterndb> <ruleset name='assp'> <pattern>assp</pattern> <rules> <rule provider='balabit' id='1' class='system'> <patterns> <pattern>@QSTRING:id_message: @ @QSTRING:msg@</pattern> </patterns> </rule> </rules> </ruleset> </patterndb>
But i have the field on db empty. I read link about db-parser usage but i can't resolve...
Thanks, Jacopo -- Linux, Windows Xp ed MS-DOS (anche conosciuti come il Bello, il Brutto ed il Cattivo). -- Matt Welsh ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Linux, Windows Xp ed MS-DOS (anche conosciuti come il Bello, il Brutto ed il Cattivo). -- Matt Welsh