[syslog-ng] db-parser
Martin Holste
mcholste at gmail.com
Tue Jul 7 18:10:16 CEST 2009
Some documentation is here:
http://marci.blogs.balabit.com/2009/04/intorduction-to-parser-in-syslog-ng-db.html
.
Try this:
<pattern>@ESTRING:id_message: @@QSTRING:msg:@</pattern>
I'm not sure about the msg part (didn't test it) but I'm sure that you
want an ESTRING for the beginning since there is no starting quote
char and you have special chars in what you are extracting. Marton's
blog post has a lot more explanation, but in the end it will take a
bit of trial and error for you to get proficient at it. It's worth
it, though--the db-parser module is extremely efficient and will add a
lot of depth to your analysis capabilities.
I'm working on a Javascript front-end for point-and-click creation of
db-parser templates from example logs, but it won't be ready for
awhile.
--Martin
On Tue, Jul 7, 2009 at 3:56 AM, Jacopo Cappelli<jacopo89 at gmail.com> wrote:
> I can't understand how work db-parser, i want to parse a string:
> m-56767-1333854 79.127.28.54 <mfdesigner at diggitgraphics.com>
> MessageScore is now 30, after adding 30 (Suspicious HELO - contains
> IP: '[79.127.28.54]')
>
> I wanto to have m-56767-1333854 on $ID_MESSAGE and 79.127.28.54
> <mfdesigner at diggitgraphics.com> MessageScore is now 30, after adding
> 30 (Suspicious HELO - contains IP: '[79.127.28.54]') on $MSG
>
> i try with:
>
> <patterndb>
> <ruleset name='assp'>
> <pattern>assp</pattern>
> <rules>
> <rule provider='balabit' id='1' class='system'>
> <patterns>
> <pattern>@QSTRING:id_message: @ @QSTRING:msg@</pattern>
> </patterns>
> </rule>
> </rules>
> </ruleset>
> </patterndb>
>
> But i have the field on db empty. I read link about db-parser usage
> but i can't resolve...
>
> Thanks,
> Jacopo
> --
> Linux, Windows Xp ed MS-DOS
> (anche conosciuti come il Bello, il Brutto ed il Cattivo).
> -- Matt Welsh
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list