[syslog-ng] QSTRING with @

Matthew Hall mhall at mhcomputing.net
Thu Sep 30 15:51:12 CEST 2010 

Hello CzP,

Unfortunately I think it might be forbidden.

@STRING@: A sequence of alphanumeric characters (0-9, A-z), not 
including any whitespace. Optionally, other accepted characters can be 
listed as parameters (e.g., to parse a complete sentence, add the 
whitespace as parameter, like: @STRING:: @). Note that the @ character 
cannot be a parameter, nor can line-breaks or tabs.

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_parsers_pattern_databases.html

The documentation is confusing because the restriction is only listed 
for @STRING@ but seems like it applies to everything from my experience.

It would be good if this could be fixed somehow.

Matthew.

On Thu, Sep 30, 2010 at 02:38:55PM +0200, Peter Czanik wrote:
> Hello,
> 
> I'm trying to create a pattern, and ran into an interesting problem: I
> can't use @ with QSTRING as beginning character. Example:
> 
>         <patterns>
>           <pattern>(?@QSTRING:usracct.device:@@)@ [INFO] Anonymous user
> logged in</pattern>
>         </patterns>
>         <examples>
>           <example>
>             <test_message program="pure-ftpd">(?@192.168.2.52) [INFO]
> Anonymous user logged in</test_message>
>             <test_values>
>               <test_value name="usracct.device">192.168.2.52</test_value>
>             </test_values>
>           </example>
>         </examples>
> 
> But when I test it, pdbtool says:
> 
> Unknown parser type specified; type=')'
> Testing message program='pure-ftpd' message='(?@192.168.2.52) [INFO]
> Anonymous user logged in'
>  Wrong match name='.classifier.rule_id', value='',
> expected='ef75e712-5e9e-4ca0-a614-5e1bf512286b'
>  Wrong match name='usracct.device', value='', expected='192.168.2.52'
> 
> I changed it to:
> 
>           <pattern>(?@@@ESTRING:usracct.device:)@ [INFO] Anonymous user
> logged in</pattern>
> 
> Which works, but I'm still curious, if @ should work as a quotation
> character.
> 
> Bye,
> 
> -- 
> Peter Czanik (CzP) <czanik at balabit.hu>
> BalaBit IT Security / syslog-ng upstream
> http://czanik.blogs.balabit.com/
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list