How to use parsed results from program pattern?
Hi folks, the documentation (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guid...) states multiple times that program patterns and message patterns work the same way. "You can also use parsers in the program pattern if needed, and use the parsed results later. For example: <pattern>postfix\@ESTRING:.postfix.component:[@</pattern>" I try to achieve exactly this behaviour. But my foobar.pdb (see attachment or http://pastebin.com/aZKMKmkc) seems not to work. I tested it with pdbtool: pdbtool -v test foobar.pdb Testing message program='imapd(foo)' message='connect from 192.168.2.179 (192.168.2.179)' Match name='.classifier.rule_id', value='foobaz', expected='foobaz' Match name='IPA', value='192.168.2.179', expected='192.168.2.179' Match name='IPB', value='192.168.2.179', expected='192.168.2.179' Wrong match name='FOOA', value='', expected='foo' Wrong match name='FOOB', value='', expected='foo' What I am doing wrong? How can I use the parsed results from program pattern later? Tested with syslog version: syslog-ng 3.4.3 Installer-Version: 3.4.3 Revision: ssh+git://algernon@git.balabit/var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.4#no_branch#64d670f3cbfb90769f3c7f0fdd9c70bb9136ec5b Compile-Date: Aug 27 2013 17:55:45 Available-Modules: afsocket-tls,cryptofuncs,affile,afsocket,syslogformat,dbparser,afsocket-notls,basicfuncs,json-plugin,system-source,afmongodb,afamqp,afprog,afuser,confgen,csvparser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: on Enable-Pcre: on And: syslog-ng 3.3.9 Installer-Version: 3.3.9 Revision: 3.3.9-1 (/) Compile-Date: May 26 2013 11:36:00 Default-Modules: affile,afprog,afsocket,afuser,afsql,basicfuncs,csvparser,dbparser,syslogformat Available-Modules: afsocket-notls,basicfuncs,confgen,afsocket,convertfuncs,syslogformat,afuser,csvparser,dbparser,affile,afsocket-tls,afprog Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on Best Regards, Daniel
On Thu, 2013-08-29 at 11:21 +0200, Daniel Walter wrote:
Hi folks,
the documentation (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guid...) states multiple times that program patterns and message patterns work the same way.
"You can also use parsers in the program pattern if needed, and use the parsed results later. For example: <pattern>postfix\@ESTRING:.postfix.component:[@</pattern>"
I try to achieve exactly this behaviour. But my foobar.pdb (see attachment or http://pastebin.com/aZKMKmkc) seems not to work. I tested it with pdbtool:
pdbtool -v test foobar.pdb Testing message program='imapd(foo)' message='connect from 192.168.2.179 (192.168.2.179)' Match name='.classifier.rule_id', value='foobaz', expected='foobaz' Match name='IPA', value='192.168.2.179', expected='192.168.2.179' Match name='IPB', value='192.168.2.179', expected='192.168.2.179' Wrong match name='FOOA', value='', expected='foo' Wrong match name='FOOB', value='', expected='foo'
What I am doing wrong? How can I use the parsed results from program pattern later?
hm... the extraction from the program name part was not always implemented, and got ported from the PE version some time ago. Let me check when it was integrated into the OSE tree. This is the patch: bazsi@bzorp:~/zwa/work/syslog-ng-ose-3.4/syslog-ng-ose/modules/dbparser$ git show 11f4ed96 commit 11f4ed960dcf7bc8ac053378fd1527870eaf7983 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Fri Sep 16 12:00:58 2011 +0200 db-parser(): add support for storing values extracted from the program name portion Previously, only the values extracted from the $MSG portion was used to populate the message. This patch makes it possible to use parsers in the program name field and name-value pairs extracted from $PROGRAM will be also set in the message if a match occurs. And it was integrated into syslog-ng 3.4: bazsi@bzorp:~/zwa/work/syslog-ng-ose-3.4/syslog-ng-ose/modules/dbparser$ git describe 11f4ed96 v3.4.0alpha2-30-g11f4ed9 Are you sure you tried it with 3.4 and not with the 3.3 version you also quoted? It does work for me in 3.4: bazsi@bzorp:~/.zwa/install/syslog-ng-ose-3.4$ pdbtool -v test ~/tmp/foobar.pdb Module loaded and initialized successfully; module='syslogformat' Module loaded and initialized successfully; module='basicfuncs' Testing message program='imapd(foo)' message='connect from 192.168.2.179 (192.168.2.179)' Match name='.classifier.rule_id', value='foobaz', expected='foobaz' Match name='IPA', value='192.168.2.179', expected='192.168.2.179' Match name='IPB', value='192.168.2.179', expected='192.168.2.179' Match name='FOOA', value='foo', expected='foo' Wrong match name='FOOB', value='', expected='foo' FOOB wasn't set because it's not the pattern that was matched. HTH -- Bazsi
participants (2)
-
Balazs Scheidler
-
Daniel Walter