Forward slashes in QSTRING
Is it possible to use a / as a delimiter in QSTRING? The documentation seems to permit it, but my pattern doesn't work. Here's the pattern: <pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ Location: @QSTRING:s1:()@ @IPv4:i2:@->syscheck; Integrity checksum changed for: @QSTRING:s4:/'@</pattern> And here's the string I want to match on: Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location: (agentname) 172.16.0.1->syscheck; Integrity checksum changed for: '/etc/fstab' The idea is to extract only 'fstab' (without the quotes). I have also tried 0x2f in place of / with similar results, and various attempts at escaping it have failed. Thanks.
You are missing the opening quote before the /etc/ Evan Rempel 250.721.7691 Systems Administrator University of Victoria On 2012-06-17, at 10:44 AM, "Michael Starks" <syslog-ng-list@michaelstarks.com> wrote:
Is it possible to use a / as a delimiter in QSTRING? The documentation seems to permit it, but my pattern doesn't work. Here's the pattern:
<pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ Location: @QSTRING:s1:()@ @IPv4:i2:@->syscheck; Integrity checksum changed for: @QSTRING:s4:/'@</pattern>
And here's the string I want to match on:
Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location: (agentname) 172.16.0.1->syscheck; Integrity checksum changed for: '/etc/fstab'
The idea is to extract only 'fstab' (without the quotes). I have also tried 0x2f in place of / with similar results, and various attempts at escaping it have failed. Thanks. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 06/17/2012 03:27 PM, Evan Rempel wrote:
You are missing the opening quote before the /etc/
Ahh, yes I see it now, thanks. :)
On 06/17/2012 03:27 PM, Evan Rempel wrote:
You are missing the opening quote before the /etc/
Hmmm, well that does work, but it matches on the first /, resulting in something like 'etc/fstab'. Is there any way to match on the last / without knowing how many of them there will be in advance?
If you know this will be the rest of the message, you can use a capturing @ANYSTRING:var:@ to grab everything left in the message. On Sun, Jun 17, 2012 at 9:49 PM, Michael Starks <syslog-ng-list@michaelstarks.com> wrote:
On 06/17/2012 03:27 PM, Evan Rempel wrote:
You are missing the opening quote before the /etc/
Hmmm, well that does work, but it matches on the first /, resulting in something like 'etc/fstab'. Is there any way to match on the last / without knowing how many of them there will be in advance? ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 06/19/2012 11:24 AM, Martin Holste wrote:
If you know this will be the rest of the message, you can use a capturing @ANYSTRING:var:@ to grab everything left in the message.
Thanks. I have tried @ANYSTRING@ but as I suspected it starts matching on the first / since the pattern is being read left-to-right. What ends up happening is that the entire file path is included. I still don't see a way to capture everything between the last / and the ' without knowing in advance how deep the path will be.
participants (3)
-
Evan Rempel
-
Martin Holste
-
Michael Starks