In general, db-parser() uses a quite low-level representation, so you need to use multiple rules to match these messages. I was already thinking about creating a bit high(er) level tool, that could generate some of the rules (instead of working with the xml directly), but never got around to do that. On Sat, Jul 5, 2014 at 6:15 PM, Michael Starks < syslog-ng-list@michaelstarks.com> wrote:

Can a parser type be made to optionally match? For example, given the message of 'DROP IN=vlan2 OUT= MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4 DST=172.16.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=61318 PROTO=TCP SPT=443 DPT=45872 SEQ=1548679084 ACK=0 WINDOW=0 RES=0x00 RST URGP' OUT= may or may not be defined. I would like to match it if it exists with a parser and maybe just set it to nul if it doesn't exist.

Similarly, in this message: 'DROP IN=vlan2 OUT= MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=3265 DF PROTO=TCP SPT=443 DPT=44616 SEQ=880418731 ACK=0 WINDOW=0 RES=0x00 RST UR' the DF field sometimes exists and sometimes doesn't.

Whenever I define something like 'DROP IN=@ESTRING:s1: @OUT=@ESTRING:s0: @' the OUT= string doesn't match if there is no value.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-- Bazsi