Problem with a pattern in 3.6.4
Hi all, I am trying to configure a pattern for the following log entry in syslog-ng 3.6.4: idpsnort01 09/03-13:18:41.935109 [**] [3:19187:6] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP} 80.58.61.250:53 -> 10.196.0.67:60941 My pattern is: <pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority : @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern> If you try it, you can see it doesn't works. Problem is with the following part of the message: [Priority: 1] [AppID: dns] I need to escape "] [AppID:" and catch "dns" field, but I have tried some configs withut luck. Any idea?? Many thanks.
<pattern>@ESTRING:s3: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**]@ [Classification: @ESTRING:s2:]@ [Priority: @NUMBER:i0@] [AppID: @ESTRING:s4:]@ @QSTRING:i1:{}@ @IPv4:i2@:@NUMBER:i3@ -> @IPv4:i4@:@NUMBER:i5@</pattern> On 09/03/2015 06:53 AM, C. L. Martinez wrote:
Hi all,
I am trying to configure a pattern for the following log entry in syslog-ng 3.6.4:
idpsnort01 09/03-13:18:41.935109 [**] [3:19187:6] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP} 80.58.61.250:53 -> 10.196.0.67:60941
My pattern is:
<pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority : @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
If you try it, you can see it doesn't works. Problem is with the following part of the message:
[Priority: 1] [AppID: dns]
I need to escape "] [AppID:" and catch "dns" field, but I have tried some configs withut luck.
Any idea??
Many thanks. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
Many thanks Evan. It works!. On Thu, Sep 3, 2015 at 3:09 PM, Evan Rempel <erempel@uvic.ca> wrote:
<pattern>@ESTRING:s3: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**]@ [Classification: @ESTRING:s2:]@ [Priority: @NUMBER:i0@] [AppID: @ESTRING:s4:]@ @QSTRING:i1:{}@ @IPv4:i2@:@NUMBER:i3@ -> @IPv4:i4@:@NUMBER:i5@</pattern>
On 09/03/2015 06:53 AM, C. L. Martinez wrote:
Hi all,
I am trying to configure a pattern for the following log entry in syslog-ng 3.6.4:
idpsnort01 09/03-13:18:41.935109 [**] [3:19187:6] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP} 80.58.61.250:53 -> 10.196.0.67:60941
My pattern is:
<pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority : @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
If you try it, you can see it doesn't works. Problem is with the following part of the message:
[Priority: 1] [AppID: dns]
I need to escape "] [AppID:" and catch "dns" field, but I have tried some configs withut luck.
Any idea??
Many thanks. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
C. L. Martinez
-
Evan Rempel