[syslog-ng] db-parser QSTRING delmiter limitations
Martin Holste
mcholste at gmail.com
Fri Apr 17 23:11:05 CEST 2009
Hi, I'm new to the list and syslog-ng in general. I'm building a
centralized log collector and am very interested in the power of the
db-parser() parsing module. It really has amazing potential, and I'm eager
to implement it. I've been playing with it quite a bit with a
proof-of-concept to parse firewall logs from Cisco FWSM blades. The
$MSGONLY part looks like this for a firewall deny:
Deny udp src OUTSIDE:10.0.0.0/1234 dst INSIDE:192.168.0.0/5678 by
access-group "OUTSIDE" [0xb74026ad, 0x0]
My working parser entry is thus:
<patterndb version='1' pub_date='2009-04-17'>
<program name='FWSM'>
<pattern>%FWSM</pattern>
<rule id='1' class='security'>
<pattern>Deny at QSTRING:FIREWALL.DENY_PROTO: @src</pattern>
</rule>
</program>
</patterndb>
This works great and returns udp and tcp in the ${FIREWALL.DENY_PROTO} macro
for logging, along with the ${.classifier.class} and ${.classifier.rule_id}
macros.
However, when I try to parse out the interface, IP, and port numbers from
"OUTSIDE:10.0.0.0/1234" part, the delimiters fail to capture correctly and
the whole pattern misses. Here's what I'm trying to do:
<patterndb version='1' pub_date='2009-04-17'>
<program name='FWSM'>
<pattern>%FWSM</pattern>
<rule id='1' class='security'>
<pattern>Deny at QSTRING:FIREWALL.DENY_PROTO:
@src at QSTRING:FIREWALL.DENY_O_INT:
@:@IPv4$:FIREWALL.DENY_SRCIP:@/@NUMBER:FIREWALL.DENY_SRCPORT: @dst</pattern>
</rule>
</program>
</patterndb>
After much debugging, it appears that there is a problem using QSTRING to
match non-space-delimited parsing boundaries. That is, you cannot parse
arbitrarily, you have to match on space boundaries. Is this true, or am I
doing something wrong? I even tried to parse the 'n' out of the word 'Deny'
with a pattern like <pattern>De at QSTRING:test: @y</pattern> and that fails.
More information about the syslog-ng
mailing list