[syslog-ng] patterndb - user defined parsers

Evan Rempel erempel at uvic.ca
Sun Nov 27 07:27:57 CET 2011


It would be useful to permit users to define parsers in the patterndb.
For example, in our environment, by policy we user a special set and order of characters of our
administrators log into hosts and administer them. It would be useful to define a parser of

@SYSADMIN@ that would match only our sysadmin accounts.
We could then use this parser in the patterndb to take some action such as sending
a message to the administrators about the event.

Another example would be to create parser for @LOCALIP@ that matches my organizaions IP space.
That way a set of rules can be defined using @LOCALIP@ for some kind of alerting, and then any
organization could redifine the @LOCALIP@ and use all of the goodness that some third party had created for
monitoring logs like an intrusion protection system.

Current parsers can be described as

QSTRING 
  - match opening char
 - while not closing char, keep looking

ESTRING
  - while not end string, keep looking

NUMBER
  - while digit keep looking

So it seems that general parsers could be constructed  with two styles of matching, and
then concatenating the together.

1. While in set of characters [some list of characters]
2. While not in set of characters [some list of characters]

I would call these
INSET to match 1 or more of a set of characters, unless a #-# were specified, then a minimum to a maximum would be required.
OUTSET to match 1 or more of anything except the characters, unless a #-# were specified, then a minimum to a maximum would be required.
(perhaps a count of + or * could be used to specify 1 or more and 0 or more respectively)

and then limit the count of such occurrences so that you could build the @IPv4@ parser as

@INSET::123456789*1@@INSET::0123456789:0-2 at .@INSET::123456789:1@@INSET::0123456789:0-2 at .@INSET::123456789:1@@INSET::0123456789:0-2 at .@INSET::123456789:1@@INSET::0123456789:0-2@

and @NUMBER@ would be
@INSET::123456789:1@@INSET::0123456789@

@FLOAT@ would be
@INSET::0123456789.@

Then a user could make
<parser name="THOUSAND">@INSET::,:0-1@@INSET::0123456789:3@</parser>
<parser name="MONEY">$@INSET::123456789:1-3@@THOUSAND:::*@. at INSET::0123456789:2@

This is kind of like inventing regular expressions :-(

I'm not sure how well this fits into the radix tree matching structure, but I wanted to start this discussion.

Given the MONEY example, I think it is obvious that there needs to be a way to specify repeating groups of "something"

Let the discussion begin!


More information about the syslog-ng mailing list