[syslog-ng] QSTRING with @
Peter Czanik
czanik at balabit.hu
Thu Sep 30 14:38:55 CEST 2010
Hello,
I'm trying to create a pattern, and ran into an interesting problem: I
can't use @ with QSTRING as beginning character. Example:
<patterns>
<pattern>(?@QSTRING:usracct.device:@@)@ [INFO] Anonymous user
logged in</pattern>
</patterns>
<examples>
<example>
<test_message program="pure-ftpd">(?@192.168.2.52) [INFO]
Anonymous user logged in</test_message>
<test_values>
<test_value name="usracct.device">192.168.2.52</test_value>
</test_values>
</example>
</examples>
But when I test it, pdbtool says:
Unknown parser type specified; type=')'
Testing message program='pure-ftpd' message='(?@192.168.2.52) [INFO]
Anonymous user logged in'
Wrong match name='.classifier.rule_id', value='',
expected='ef75e712-5e9e-4ca0-a614-5e1bf512286b'
Wrong match name='usracct.device', value='', expected='192.168.2.52'
I changed it to:
<pattern>(?@@@ESTRING:usracct.device:)@ [INFO] Anonymous user
logged in</pattern>
Which works, but I'm still curious, if @ should work as a quotation
character.
Bye,
--
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
More information about the syslog-ng
mailing list