Hi, I&#39;m new to the list and syslog-ng in general.  I&#39;m building a centralized log collector and am very interested in the power of the db-parser() parsing module.  It really has amazing potential, and I&#39;m eager to implement it.  I&#39;ve been playing with it quite a bit with a proof-of-concept to parse firewall logs from Cisco FWSM blades.  The $MSGONLY part looks like this for a firewall deny:<br>
<br>Deny udp src OUTSIDE:<a href="http://10.0.0.0/1234">10.0.0.0/1234</a> dst INSIDE:<a href="http://192.168.0.0/5678">192.168.0.0/5678</a> by access-group &quot;OUTSIDE&quot; [0xb74026ad, 0x0]<br><br>My working parser entry is thus:<br>
<br>&lt;patterndb version=&#39;1&#39; pub_date=&#39;2009-04-17&#39;&gt;<br>  &lt;program name=&#39;FWSM&#39;&gt;<br>    &lt;pattern&gt;%FWSM&lt;/pattern&gt;<br>    &lt;rule id=&#39;1&#39; class=&#39;security&#39;&gt;<br>      &lt;pattern&gt;Deny@QSTRING:FIREWALL.DENY_PROTO: @src&lt;/pattern&gt;<br>
    &lt;/rule&gt;<br>  &lt;/program&gt;<br>&lt;/patterndb&gt;<br><br>This works great and returns udp and tcp in the ${FIREWALL.DENY_PROTO} macro for logging, along with the ${.classifier.class} and ${.classifier.rule_id} macros.<br>
<br>However, when I try to parse out the interface, IP, and port numbers from &quot;OUTSIDE:<a href="http://10.0.0.0/1234">10.0.0.0/1234</a>&quot; part, the delimiters fail to capture correctly and the whole pattern misses.  Here&#39;s what I&#39;m trying to do:<br>
<br>&lt;patterndb version=&#39;1&#39; pub_date=&#39;2009-04-17&#39;&gt;<br>
  &lt;program name=&#39;FWSM&#39;&gt;<br>
    &lt;pattern&gt;%FWSM&lt;/pattern&gt;<br>
    &lt;rule id=&#39;1&#39; class=&#39;security&#39;&gt;<br>
      &lt;pattern&gt;Deny@QSTRING:FIREWALL.DENY_PROTO: @src@QSTRING:FIREWALL.DENY_O_INT: @:@IPv4$:FIREWALL.DENY_SRCIP:@/@NUMBER:FIREWALL.DENY_SRCPORT: @dst&lt;/pattern&gt;<br>
    &lt;/rule&gt;<br>
  &lt;/program&gt;<br>
&lt;/patterndb&gt;<br><br>After much debugging, it appears that there is a problem using QSTRING to match non-space-delimited parsing boundaries.  That is, you cannot parse arbitrarily, you have to match on space boundaries.  Is this true, or am I doing something wrong?  I even tried to parse the &#39;n&#39; out of the word &#39;Deny&#39; with a pattern like &lt;pattern&gt;De@QSTRING:test: @y&lt;/pattern&gt; and that fails.  From the debug, it appears that unless there is a space present, the radix key is off by one:<br>
<br>Looking up node in the radix tree; i=&#39;0&#39;, nodelen=&#39;0&#39;, keylen=&#39;138&#39;, root_key=&#39;&#39;, key=&#39;Deny udp src&lt;snip&gt;&lt;/snip&gt;&#39;<br>Looking up node in the radix tree; i=&#39;2&#39;, nodelen=&#39;2&#39;, keylen=&#39;138&#39;, root_key=&#39;De&#39;, key=&#39;Deny udp src&lt;snip&gt;&lt;/snip&gt;&#39;<br>
<br>It looks like the key for the second entry should be key=&#39;ny udp src&lt;snip&gt;&lt;/snip&gt;&#39; since the original &#39;De&#39; match already hit.  I put a lot of printf debugging statements in the code to see if I could figure out what was going wrong, but I havent&#39; been able to conclude what the problem is yet, assuming arbitrary pattern delimiting was the intended goal.  Is anyone able to successfully get db-parser() to parse on arbitrary characters?<br>
<br>Also, the source code refers to STRING and ESTRING, how are those different from QSTRING?  It looked like ESTRING was probably just an offset-based version of QSTRING.<br><br>Thanks,<br><br>Martin<br><br><br>