ESTRING terminated by a colon?
Hello, Hopefully this is a new question. I've been trying to write patterns for error messages sent by Cisco IOS devices. For example: 20: *Feb 28 15:00:08.556 AKST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up A pattern that works: @NUMBER:seqno@: @ESTRING:CISCO.DATE: %@LINEPROTO-5-UPDOWN: Line protocol on Interface @ESTRING:arg1:,@ changed state to @ANYSTRING:arg2@ But to avoid capturing the colon an space, the end-match needs to be ": " (i.e. colon space), like so: @ESTRING:CISCO.DATE:: @ However, I'm unsure how to quote the colon, when it's already the ESTRING param delimiter? Thanks
Hi, you can escape the colon using another colon, like @ESTRING:CISCO.DATE::: @ Similarly, if you need to use @ in a parser, you can escape it like @@ I'll include this in the next version of the adminguide. Robert Glen Johnson wrote:
Hello,
Hopefully this is a new question. I've been trying to write patterns for error messages sent by Cisco IOS devices. For example:
20: *Feb 28 15:00:08.556 AKST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
A pattern that works:
@NUMBER:seqno@: @ESTRING:CISCO.DATE: %@LINEPROTO-5-UPDOWN: Line protocol on Interface @ESTRING:arg1:,@ changed state to @ANYSTRING:arg2@
But to avoid capturing the colon an space, the end-match needs to be ": " (i.e. colon space), like so:
@ESTRING:CISCO.DATE:: @
However, I'm unsure how to quote the colon, when it's already the ESTRING param delimiter?
Thanks ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
you can escape the colon using another colon, like @ESTRING:CISCO.DATE::: @ Similarly, if you need to use @ in a parser, you can escape it like @@
Tested this using pdbtool match, using several permutations. I couldn't get a match.
On Tuesday, April 13, 2010 19:16 CEST, Glen Johnson <gfjohnson@alaska.edu> wrote:
you can escape the colon using another colon, like @ESTRING:CISCO.DATE::: @ Similarly, if you need to use @ in a parser, you can escape it like @@
Tested this using pdbtool match, using several permutations. I couldn't get a match. Then this looks like a bug, two independent developers stated that :: should work. I'll get someone take a closer look at it. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
There may be a bug as I can't get a single or colon-escaped single colon to match, but as a workaround, this fits the bill: @ESTRING:CISCO.DATE:: @%LINEPROTO... Where the ESTRING match pattern is <colon><space>. It's a greedy match, so the % must immediately follow the @ because the colon and space were parsed and consumed. On Tue, Apr 13, 2010 at 1:11 PM, Fekete Róbert <frobert@balabit.com> wrote:
On Tuesday, April 13, 2010 19:16 CEST, Glen Johnson <gfjohnson@alaska.edu> wrote:
you can escape the colon using another colon, like @ESTRING:CISCO.DATE::: @ Similarly, if you need to use @ in a parser, you can escape it like @@
Tested this using pdbtool match, using several permutations. I couldn't get a match. Then this looks like a bug, two independent developers stated that :: should work. I'll get someone take a closer look at it.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, You don't need to escape it, it will work as you want to use (": "). The pattern that I am using: <pattern>@NUMBER:seqno@: @ESTRING:CISCO.DATE:: @@ANYSTRING:arg2@</pattern> pdbtool output: root@thor:/opt/syslog-ng# bin/pdbtool match -p /opt/syslog-ng/var/patterndb.xml -M "20: *Feb 28 15:00:08.556 AKST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up" MESSAGE=20: *Feb 28 15:00:08.556 AKST: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up .classifier.class=system .classifier.rule_id=09944c71-95eb-4bc0-8575-936931d85713 seqno=20 CISCO.DATE=*Feb 28 15:00:08.556 AKST arg2=%LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up testvalue=OK and it also works with syslog-ng. Glen Johnson wrote:
you can escape the colon using another colon, like @ESTRING:CISCO.DATE::: @ Similarly, if you need to use @ in a parser, you can escape it like @@
Tested this using pdbtool match, using several permutations. I couldn't get a match. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
Thank you for the responses. I believe Robert and Martin are correct, this is at very least misbehavior. Zoltán, you're correct, that pattern does work. But lets look at a different example. This message -- Dropping TCP packet from outside:192.168.25.36/10001 to inside:10.0.25.56/22383, reason: MSS exceeded, MSS 1380, data 1400 -- only matches the pattern -- Dropping TCP packet from @ESTRING:::@@IPv4@/@NUMBER@ to @ESTRING:::@@IPv4@/@NUMBER@, reason: MSS exceeded, MSS @NUMBER@, data @NUMBER@ -- when the one of the @ESTRING:::@@IPv4@ blocks are changed to @STRING@:@IPv4@. If not a bug, why? On Wed, Apr 14, 2010 at 1:28 AM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Hi,
You don't need to escape it, it will work as you want to use (": "). The pattern that I am using: <pattern>@NUMBER:seqno@: @ESTRING:CISCO.DATE:: @@ANYSTRING:arg2@</pattern>
participants (5)
-
Fekete Róbert
-
Glen Johnson
-
Martin Holste
-
Robert Fekete
-
Zoltán Pallagi