[syslog-ng] db-parser

ILLES, Marton illes.marton at balabit.hu
Mon Jul 13 19:59:43 CEST 2009


Hi,

First you should simply try a pattern like this:

<pattern>@ESTRING:id_message: @</pattern>

This would match your line and would extract the message id. Than you
can work on extending it. Also probably the easiest option is to use the
@ANYSTRING@ parser which would match everything till the end of the
message. It is available in the 3.1 git tree:

http://git.balabit.hu/?p=bazsi/syslog-ng-3.1.git;a=commit;h=c22ee8dad59b56b9f2d4f85282570d77e931d2be

So your pattern would look something like this:

<pattern>@ESTRING:id_message: @@ANYSTRING:rest@</pattern>

In the sql statement you can than use the ${id_message} and ${rest}
macros. (Note that ANYSTRING is available only in the 3.1 tree which
uses the newer patterndb format!)

let me know if it works.

best,

Marton

On Tue, 2009-07-07 at 11:10 -0500, Martin Holste wrote:
> Some documentation is here:
> http://marci.blogs.balabit.com/2009/04/intorduction-to-parser-in-syslog-ng-db.html
> .
> 
> Try this:
> 
> <pattern>@ESTRING:id_message: @@QSTRING:msg:@</pattern>
> 
> I'm not sure about the msg part (didn't test it) but I'm sure that you
> want an ESTRING for the beginning since there is no starting quote
> char and you have special chars in what you are extracting.  Marton's
> blog post has a lot more explanation, but in the end it will take a
> bit of trial and error for you to get proficient at it.  It's worth
> it, though--the db-parser module is extremely efficient and will add a
> lot of depth to your analysis capabilities.
> 
> I'm working on a Javascript front-end for point-and-click creation of
> db-parser templates from example logs, but it won't be ready for
> awhile.
> 
> --Martin
> 
> On Tue, Jul 7, 2009 at 3:56 AM, Jacopo Cappelli<jacopo89 at gmail.com> wrote:
> > I can't understand how work db-parser, i want to parse a string:
> > m-56767-1333854 79.127.28.54 <mfdesigner at diggitgraphics.com>
> > MessageScore is now 30, after adding 30 (Suspicious HELO - contains
> > IP: '[79.127.28.54]')
> >
> > I wanto to have m-56767-1333854 on $ID_MESSAGE and 79.127.28.54
> > <mfdesigner at diggitgraphics.com> MessageScore is now 30, after adding
> > 30 (Suspicious HELO - contains IP: '[79.127.28.54]') on $MSG
> >
> > i try with:
> >
> > <patterndb>
> > <ruleset name='assp'>
> >  <pattern>assp</pattern>
> >  <rules>
> >   <rule provider='balabit' id='1' class='system'>
> >     <patterns>
> >       <pattern>@QSTRING:id_message: @ @QSTRING:msg@</pattern>
> >     </patterns>
> >   </rule>
> >  </rules>
> > </ruleset>
> > </patterndb>
> >
> > But i have the field on db empty. I read link about db-parser usage
> > but i can't resolve...
> >
> > Thanks,
> > Jacopo
> > --
> > Linux, Windows Xp ed MS-DOS
> > (anche conosciuti come il Bello, il Brutto ed il Cattivo).
> > -- Matt Welsh
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D



More information about the syslog-ng mailing list