[syslog-ng] PatternDB: macros extraction from URLs

Valentijn Sessink valentyn at blub.net
Thu Feb 17 13:30:55 CET 2011


Ioan Indreias schreef:
> For example we would like to extract 'user' and 'action' from an URL
> like the one mentioned below:
> 
> APP[9988]: WEB[0011]:
> http://abc.example.com/query.php?user=test1&action=login&host=prod1&device=device1
> HTTP 1.1
[...]
> Have somebody some hints on how to optimize the extraction of macros
> when them are not in an known order?

It's probably the http variables you're after, not the URL's.

For example, how about:
http://abc.example.com/query.php?us%65r=test1&%61ction=login&host=prod1&device=device1
Or even:
http://abc.example.com/query.php?us%65r=%61dmin&%61ction=login&host=prod1&device=device1&user=guest&us%65r=%61dmin&action=nothing
(where syslog-ng would report "user=guest" doing "nothing" on any
"user=/action=" matching pattern, while the web app is happily logging
you in as admin)

My first thought is: don't do this in syslog-ng, because it won't tell
you the things you want to know. (I could be wrong, as I don't know what
your web app is about and what you're trying to extract and why).

Best regards,

Valentijn


More information about the syslog-ng mailing list