[syslog-ng] PatternDB: macros extraction from URLs

Balazs Scheidler bazsi at balabit.hu
Wed Feb 23 16:58:07 CET 2011 

this should be either parsed with csv-parser() or a separate
url-parser() _after_ the URL has been identified by patterndb.

On Thu, 2011-02-17 at 10:31 +0200, Ioan Indreias wrote:
> Hello all,
> 
> We are using OSE 3.2.1 version and till now we have managed to
> configure most of the patterns we need.
> 
> However we have reached to a point where we need some hints from the
> users of this list. The problem is the following: how to extract
> macros when the order of them are not known (like in a URL).
> 
> For example we would like to extract 'user' and 'action' from an URL
> like the one mentioned below:
> 
> APP[9988]: WEB[0011]:
> http://abc.example.com/query.php?user=test1&action=login&host=prod1&device=device1
> HTTP 1.1
> 
> Unfortunately the "user" and "action" could be placed anywhere in the
> URL (as the URL is not created by aour application) thus we have to
> create something like this:
> 
> <pattern>http://abc.example.com/query.php@ESTRING::u@ser=@ESTRING:user:&amp;@action=@ESTRING:action:&amp;@</pattern>
> <pattern>http://abc.example.com/query.php@ESTRING::u@ser=@ESTRING:user:&amp;@ESTRING::a@ction=@ESTRING:action:&amp;@</pattern>
> <pattern>http://abc.example.com/query.php@ESTRING::a@ction=@ESTRING:action:&amp;@user=@ESTRING:user:&amp;@</pattern>
> <pattern>http://abc.example.com/query.php@ESTRING::a@ction=@ESTRING:action:&amp;@ESTRING::u@ser=@ESTRING:user:&amp;@</pattern>
> and so on....
> 
> Not to mention if we need to extract the 'device' macro as well - the
> number of patterns grow significantly.
> 
> Have somebody some hints on how to optimize the extraction of macros
> when them are not in an known order?

-- 
Bazsi

More information about the syslog-ng mailing list