No subject
Fri Apr 3 20:57:51 CEST 2009
Looking up node in the radix tree; i='0', nodelen='0', keylen='138',
root_key='', key='Deny udp src<snip></snip>'
Looking up node in the radix tree; i='2', nodelen='2', keylen='138',
root_key='De', key='Deny udp src<snip></snip>'
It looks like the key for the second entry should be key='ny udp
src<snip></snip>' since the original 'De' match already hit. I put a lot of
printf debugging statements in the code to see if I could figure out what
was going wrong, but I havent' been able to conclude what the problem is
yet, assuming arbitrary pattern delimiting was the intended goal. Is anyone
able to successfully get db-parser() to parse on arbitrary characters?
Also, the source code refers to STRING and ESTRING, how are those different
from QSTRING? It looked like ESTRING was probably just an offset-based
version of QSTRING.
Thanks,
Martin
--000e0cd6ae326008a30467c69eb2
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi, I'm new to the list and syslog-ng in general.=A0 I'm building a=
centralized log collector and am very interested in the power of the db-pa=
rser() parsing module.=A0 It really has amazing potential, and I'm eage=
r to implement it.=A0 I've been playing with it quite a bit with a proo=
f-of-concept to parse firewall logs from Cisco FWSM blades.=A0 The $MSGONLY=
part looks like this for a firewall deny:<br>
<br>Deny udp src OUTSIDE:<a href=3D"http://10.0.0.0/1234">10.0.0.0/1234</a>=
dst INSIDE:<a href=3D"http://192.168.0.0/5678">192.168.0.0/5678</a> by acc=
ess-group "OUTSIDE" [0xb74026ad, 0x0]<br><br>My working parser en=
try is thus:<br>
<br><patterndb version=3D'1' pub_date=3D'2009-04-17'>=
<br>=A0 <program name=3D'FWSM'><br>=A0=A0=A0 <pattern>%=
FWSM</pattern><br>=A0=A0=A0 <rule id=3D'1' class=3D'se=
curity'><br>=A0=A0=A0=A0=A0 <pattern>Deny at QSTRING:FIREWALL.DEN=
Y_PROTO: @src</pattern><br>
=A0=A0=A0 </rule><br>=A0 </program><br></patterndb><br><b=
r>This works great and returns udp and tcp in the ${FIREWALL.DENY_PROTO} ma=
cro for logging, along with the ${.classifier.class} and ${.classifier.rule=
_id} macros.<br>
<br>However, when I try to parse out the interface, IP, and port numbers fr=
om "OUTSIDE:<a href=3D"http://10.0.0.0/1234">10.0.0.0/1234</a>" p=
art, the delimiters fail to capture correctly and the whole pattern misses.=
=A0 Here's what I'm trying to do:<br>
<br><patterndb version=3D'1' pub_date=3D'2009-04-17'>=
<br>
=A0 <program name=3D'FWSM'><br>
=A0=A0=A0 <pattern>%FWSM</pattern><br>
=A0=A0=A0 <rule id=3D'1' class=3D'security'><br>
=A0=A0=A0=A0=A0 <pattern>Deny at QSTRING:FIREWALL.DENY_PROTO: @src at QSTRI=
NG:FIREWALL.DENY_O_INT: @:@IPv4$:FIREWALL.DENY_SRCIP:@/@NUMBER:FIREWALL.DEN=
Y_SRCPORT: @dst</pattern><br>
=A0=A0=A0 </rule><br>
=A0 </program><br>
</patterndb><br><br>After much debugging, it appears that there is a =
problem using QSTRING to match non-space-delimited parsing boundaries.=A0 T=
hat is, you cannot parse arbitrarily, you have to match on space boundaries=
.=A0 Is this true, or am I doing something wrong?=A0 I even tried to parse =
the 'n' out of the word 'Deny' with a pattern like <patt=
ern>De at QSTRING:test: @y</pattern> and that fails.=A0 From the debu=
g, it appears that unless there is a space present, the radix key is off by=
one:<br>
<br>Looking up node in the radix tree; i=3D'0', nodelen=3D'0=
9;, keylen=3D'138', root_key=3D'', key=3D'Deny udp src&=
lt;snip></snip>'<br>Looking up node in the radix tree; i=3D=
9;2', nodelen=3D'2', keylen=3D'138', root_key=3D'De=
', key=3D'Deny udp src<snip></snip>'<br>
<br>It looks like the key for the second entry should be key=3D'ny udp =
src<snip></snip>' since the original 'De' match alr=
eady hit.=A0 I put a lot of printf debugging statements in the code to see =
if I could figure out what was going wrong, but I havent' been able to =
conclude what the problem is yet, assuming arbitrary pattern delimiting was=
the intended goal.=A0 Is anyone able to successfully get db-parser() to pa=
rse on arbitrary characters?<br>
<br>Also, the source code refers to STRING and ESTRING, how are those diffe=
rent from QSTRING?=A0 It looked like ESTRING was probably just an offset-ba=
sed version of QSTRING.<br><br>Thanks,<br><br>Martin<br><br><br>
--000e0cd6ae326008a30467c69eb2--
More information about the syslog-ng
mailing list