[syslog-ng] db-parser
Jacopo Cappelli
jacopo89 at gmail.com
Wed Jul 8 10:22:42 CEST 2009
There is something in my configuration because with your string not
log the id...
parser p_assp {
# db-parser(file("/opt/syslog-ng/etc/patterndb.xml"));
db-parser();
};
I try twice but not work.
log {
...
...
parser(p_assp);
...
};
Thanks,
Jacopo
2009/7/7 Martin Holste <mcholste at gmail.com>:
> Some documentation is here:
> http://marci.blogs.balabit.com/2009/04/intorduction-to-parser-in-syslog-ng-db.html
> .
>
> Try this:
>
> <pattern>@ESTRING:id_message: @@QSTRING:msg:@</pattern>
>
> I'm not sure about the msg part (didn't test it) but I'm sure that you
> want an ESTRING for the beginning since there is no starting quote
> char and you have special chars in what you are extracting. Marton's
> blog post has a lot more explanation, but in the end it will take a
> bit of trial and error for you to get proficient at it. It's worth
> it, though--the db-parser module is extremely efficient and will add a
> lot of depth to your analysis capabilities.
>
> I'm working on a Javascript front-end for point-and-click creation of
> db-parser templates from example logs, but it won't be ready for
> awhile.
>
> --Martin
>
> On Tue, Jul 7, 2009 at 3:56 AM, Jacopo Cappelli<jacopo89 at gmail.com> wrote:
>> I can't understand how work db-parser, i want to parse a string:
>> m-56767-1333854 79.127.28.54 <mfdesigner at diggitgraphics.com>
>> MessageScore is now 30, after adding 30 (Suspicious HELO - contains
>> IP: '[79.127.28.54]')
>>
>> I wanto to have m-56767-1333854 on $ID_MESSAGE and 79.127.28.54
>> <mfdesigner at diggitgraphics.com> MessageScore is now 30, after adding
>> 30 (Suspicious HELO - contains IP: '[79.127.28.54]') on $MSG
>>
>> i try with:
>>
>> <patterndb>
>> <ruleset name='assp'>
>> <pattern>assp</pattern>
>> <rules>
>> <rule provider='balabit' id='1' class='system'>
>> <patterns>
>> <pattern>@QSTRING:id_message: @ @QSTRING:msg@</pattern>
>> </patterns>
>> </rule>
>> </rules>
>> </ruleset>
>> </patterndb>
>>
>> But i have the field on db empty. I read link about db-parser usage
>> but i can't resolve...
>>
>> Thanks,
>> Jacopo
>> --
>> Linux, Windows Xp ed MS-DOS
>> (anche conosciuti come il Bello, il Brutto ed il Cattivo).
>> -- Matt Welsh
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
--
Linux, Windows Xp ed MS-DOS
(anche conosciuti come il Bello, il Brutto ed il Cattivo).
-- Matt Welsh
More information about the syslog-ng
mailing list