[syslog-ng] need help with pattern, get .classifier.class=unknown

14 Feb 2013


      Hi all,
i use the net screen pattern

the ruleset:

    <ruleset name="NetScreen" id='1001'>
        <pattern>fw</pattern>
        <rules>
            <rule provider="ELSA" class='1001' id='1001'>
                <patterns>
                    <pattern>NetScreen device_id=@ESTRING:s0: @@ESTRING:: @start_time="@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:i0: @service=@ESTRING:s1: @proto=@ESTRING:: @src zone=@ESTRING:s2: @dst zone=@ESTRING:s3: @action=@ESTRING:s4: @sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i2: @src_port=@ESTRING:i3: @dst_port=@ESTRING:i4: @session_id=@ESTRING:: @reason=Traffic Denied</pattern>
                </patterns>
                <examples>
                    <example>
                        <test_message program="NetScreen deny">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message>
                        <!-- device -->
                        <test_value name="s0">fw</test_value>
                        <!-- policy id-->
                        <test_value name="i0">10005</test_value>
                        <!-- service -->
                        <test_value name="s1">http</test_value>
                        <!-- src zone -->
                        <test_value name="s2">OUT</test_value>
                        <!-- dst zone -->
                        <test_value name="s3">IN</test_value>
                        <!-- action -->
                        <test_value name="s4">Deny</test_value>
                        <!-- src -->
                        <test_value name="i1">192.168.0.1</test_value>
                        <!-- dst -->
                        <test_value name="i2">192.168.1.1</test_value>
                        <!-- src_port -->
                        <test_value name="i3">51271</test_value>
                        <!-- dst_port-->
                        <test_value name="i4">80</test_value>
                    </example>
                </examples>
            </rule>
        </rules>
    </ruleset>

but i get this error :

/usr/local/syslog-ng/bin/pdbtool match -c -D -v -p /usr/local/elsa/node/conf/patterndb.xml -P fw -M "NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied"
Pattern matching part:
NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time=2012-10-02
Matching part:
NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=
Values:
MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=2012-10-02
PROGRAM=fw
.classifier.class=unknown

Any help here
thanks Stefan

[syslog-ng] need help with pattern, get .classifier.class=unknown

Stefan Sabolowitsch