[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Thu Jul 15 22:08:20 CEST 2010 

On Thu, 2010-07-15 at 20:37 +0200, Fekete Róbert wrote:
> Hi,  
> On Thursday, July 15, 2010 14:16 CEST, "ILLES, Marton" <illes.marton at balabit.hu> wrote: 
>  
> > Hi,
> > 
> > I took the liberty and created my own patterndb git tree, so i can track
> > my patches there and Bazsi can easily pull from there. You can check it
> > at git.balabit.hu:
> > http://git.balabit.hu/?p=marci/syslog-ng-patterndb.git;a=summary
> > 
> > I have added a small python script test-patterns.py which can be used to
> > automatically check the example messages against the patterns, while it
> > also verifies the parsed name/value pairs. It is kind of a handy tool
> > when you poke with the patterns and want to run automatic tests. It
> > requires pdbtool and python xml package.
> > 
> > I have fixed the sshd.pdb example messages and extended them to check
> > for name/value pairs as well.
> > 
> > I have also modified to patterns to use the ESTRING/ANYSTRING parsers
> > instead of the STRING/IPv4/NUMBER parsers as the previous ones are
> > faster, and they should be used when possible. The STRING/IPv4/NUMBER
> > parser parse the message char by char, while the ESTRING/QSTRING parsers
> > are looking for an stop character/string and parse everything till than.
> > The ANYSTRING parser on the other hand simply parses everything till the
> > end of the message, so it is handy to parse the rest of the message into
> 
> I was wondering about how the ANYSTRING parser would play together with the multiline message handling introduced in 3.2.  Would it parse the message to the end of the message, or only to the end of the line? If it goes all the way to the end of the message, then another parser (or an optional parameter for ANYSTRING) that parses only to the end of the current line might be useful to properly handle multiline messages.
> 
> Just a thought.


It'd eat the string till the end of the file, you are right, it could be
useful, but I'd like to wait for the first occurence of such a pattern.

-- 
Bazsi

More information about the syslog-ng mailing list