What you have is correct (I tested it on my parser database) given that the message getting passed to the parser is 192.168.107.132:12260 -> 207.44.101.104:12260 to 48.70.67.223:940 So it really depends if this message is coming from real syslog source or if it is coming from a "no_parse" source. Evan. Clements, Frank wrote:
Hello Everyone!
I've been trying to get some custom patterns put together to do some log correlation and I'm having one hell of a time getting a working pattern. I think I need a second, third, forth set of eyes on this ... Any help is appreciated!
Message: Nov 25 12:02:27 GENERATED NAT-UDP-C: 192.168.107.132:12260 -> 207.44.101.104:12260 to 48.70.67.223:940 Pattern: @IPvANY:.dict.insideAddr@:@NUMBER:.dict.insidePort@ -> @IPvANY:.dict.outsideAddr@:@NUMBER:.dict.outsidePort@ to @IPvANY:.dict.destAddr@:@NUMBER:.dict.destPort@
I've looked at a few examples from the community patterns, but nothing in this stands out as being "wrong".
Thanks
- Frank W Clements ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Unix Services, University Systems, University of Victoria