Hello, I'm trying to create a pattern, and ran into an interesting problem: I can't use @ with QSTRING as beginning character. Example: <patterns> <pattern>(?@QSTRING:usracct.device:@@)@ [INFO] Anonymous user logged in</pattern> </patterns> <examples> <example> <test_message program="pure-ftpd">(?@192.168.2.52) [INFO] Anonymous user logged in</test_message> <test_values> <test_value name="usracct.device">192.168.2.52</test_value> </test_values> </example> </examples> But when I test it, pdbtool says: Unknown parser type specified; type=')' Testing message program='pure-ftpd' message='(?@192.168.2.52) [INFO] Anonymous user logged in' Wrong match name='.classifier.rule_id', value='', expected='ef75e712-5e9e-4ca0-a614-5e1bf512286b' Wrong match name='usracct.device', value='', expected='192.168.2.52' I changed it to: <pattern>(?@@@ESTRING:usracct.device:)@ [INFO] Anonymous user logged in</pattern> Which works, but I'm still curious, if @ should work as a quotation character. Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Hello CzP, Unfortunately I think it might be forbidden. @STRING@: A sequence of alphanumeric characters (0-9, A-z), not including any whitespace. Optionally, other accepted characters can be listed as parameters (e.g., to parse a complete sentence, add the whitespace as parameter, like: @STRING:: @). Note that the @ character cannot be a parameter, nor can line-breaks or tabs. http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guid... The documentation is confusing because the restriction is only listed for @STRING@ but seems like it applies to everything from my experience. It would be good if this could be fixed somehow. Matthew. On Thu, Sep 30, 2010 at 02:38:55PM +0200, Peter Czanik wrote:
Hello,
I'm trying to create a pattern, and ran into an interesting problem: I can't use @ with QSTRING as beginning character. Example:
<patterns> <pattern>(?@QSTRING:usracct.device:@@)@ [INFO] Anonymous user logged in</pattern> </patterns> <examples> <example> <test_message program="pure-ftpd">(?@192.168.2.52) [INFO] Anonymous user logged in</test_message> <test_values> <test_value name="usracct.device">192.168.2.52</test_value> </test_values> </example> </examples>
But when I test it, pdbtool says:
Unknown parser type specified; type=')' Testing message program='pure-ftpd' message='(?@192.168.2.52) [INFO] Anonymous user logged in' Wrong match name='.classifier.rule_id', value='', expected='ef75e712-5e9e-4ca0-a614-5e1bf512286b' Wrong match name='usracct.device', value='', expected='192.168.2.52'
I changed it to:
<pattern>(?@@@ESTRING:usracct.device:)@ [INFO] Anonymous user logged in</pattern>
Which works, but I'm still curious, if @ should work as a quotation character.
Bye,
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello, On 09/30/2010 03:51 PM, Matthew Hall wrote:
Hello CzP,
Unfortunately I think it might be forbidden.
@STRING@: A sequence of alphanumeric characters (0-9, A-z), not including any whitespace. Optionally, other accepted characters can be listed as parameters (e.g., to parse a complete sentence, add the whitespace as parameter, like: @STRING:: @). Note that the @ character cannot be a parameter, nor can line-breaks or tabs.
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guid...
The documentation is confusing because the restriction is only listed for @STRING@ but seems like it applies to everything from my experience.
Thanks. Any idea how could this be solved here: <pattern>(czanik@192.168.2.52) [INFO] Logout.</pattern> "czanik" is a username here, but that might use other characters, not just letters and numbers. Well, QSTRING or ESTRING does not work here, but I found the necessary information in "man useradd": " The account name must begin with an alphabetic character and the rest of the string should be from the POSIX portable character class ([A-Za- z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]). " So it can be solved with: @STRING::_-.$@
It would be good if this could be fixed somehow.
Forwarded to the documentation team. Bye, CzP -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
On Thu, Sep 30, 2010 at 04:29:25PM +0200, Peter Czanik wrote:
Thanks. Any idea how could this be solved here:
<pattern>(czanik@192.168.2.52) [INFO] Logout.</pattern>
"czanik" is a username here, but that might use other characters, not just letters and numbers.
Well, QSTRING or ESTRING does not work here, but I found the necessary information in "man useradd": " The account name must begin with an alphabetic character and the rest of the string should be from the POSIX portable character class ([A-Za- z_][A-Za-z0-9_-.]*[A-Za-z0-9_-.$]). " So it can be solved with: @STRING::_-.$@
I have also seen '+' and '\' used on UNIX PCs with Windows AD auth configured, to specify the domain.
It would be good if this could be fixed somehow. Forwarded to the documentation team. Awesome! Thank you for doing that.
Bye, CzP
Regards, Matthew.
participants (2)
-
Matthew Hall
-
Peter Czanik