[syslog-ng] Forward slashes in QSTRING

Evan Rempel erempel at uvic.ca
Sun Jun 17 22:27:33 CEST 2012


You are missing the opening quote before the /etc/



Evan Rempel
250.721.7691
Systems Administrator
University of Victoria

On 2012-06-17, at 10:44 AM, "Michael Starks" <syslog-ng-list at michaelstarks.com> wrote:

> Is it possible to use a / as a delimiter in QSTRING? The documentation 
> seems to permit it, but my pattern doesn't work. Here's the pattern:
> 
> <pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ 
> Location: @QSTRING:s1:()@ @IPv4:i2:@->syscheck; Integrity checksum 
> changed for: @QSTRING:s4:/'@</pattern>
> 
> And here's the string I want to match on:
> 
> Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location: 
> (agentname) 172.16.0.1->syscheck; Integrity checksum changed for: 
> '/etc/fstab'
> 
> The idea is to extract only 'fstab' (without the quotes). I have also 
> tried 0x2f in place of / with similar results, and various attempts at 
> escaping it have failed. Thanks.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 


More information about the syslog-ng mailing list