From over on the ELSA list, we came up with this:

<ruleset name="junos" id='1001'> <rules> <rule provider="ELSA" class='1001' id='1001'> <patterns> <pattern>RT_FLOW_SESSION_CLOSE: session closed @STRING:s0: @: @IPv4:i0:@/@NUMBER:i4:@->@IPv4:i1:@/@NUMBER:i2:@ @STRING:s2:-@ @IPv4::@/@NUMBER::@->@IPv4::@/@NUMBER::@ @STRING::@ @STRING:s1:@ @NUMBER:i3:@</pattern> </patterns> <examples> <example> <test_message program="">RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 10.196.0.15/25668->81.45.8.13/80 junos-http 212.31.40.37/14243->81.45.8.13/80 r1 None 6 Navegacion_temporal trust untrust 54117 8(1426) 7(903) 2</test_message> <test_values> <test_value name="i0">10.196.0.15</test_value> <test_value name="i1">81.45.8.13</test_value> <test_value name="i2">80</test_value> <test_value name="i3">6</test_value> <test_value name="i4">25668</test_value> <test_value name="s0">TCP FIN</test_value> <test_value name="s1">None</test_value> <test_value name="s2">junos-http</test_value> </test_values> </example> </examples> </rule> </rules> </ruleset> On Fri, Apr 27, 2012 at 12:39 PM, Rob Cameron <rwcameron@gmail.com> wrote:

Team syslog-ng,

I am attempting to write a parser to break apart a structured syslog message and break it into values that I will ultimately forward to MongoDB. I am unable to get the parsing to work. Below is a link to my parser database file and I have built in a simple test case. If someone could assist me by matching at least one field of the test log found in my example PDB I would be most appreciative for the help. I will also contribute my PDB back to the community.

https://github.com/RobWC/syslog-ng-SRX/blob/master/junos-sme-12.1.pdb

Thanks again for your help.

-- Rob

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq