[syslog-ng] Forward slashes in QSTRING
Evan Rempel
erempel at uvic.ca
Sun Jun 17 22:27:33 CEST 2012
You are missing the opening quote before the /etc/
Evan Rempel
250.721.7691
Systems Administrator
University of Victoria
On 2012-06-17, at 10:44 AM, "Michael Starks" <syslog-ng-list at michaelstarks.com> wrote:
> Is it possible to use a / as a delimiter in QSTRING? The documentation
> seems to permit it, but my pattern doesn't work. Here's the pattern:
>
> <pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@
> Location: @QSTRING:s1:()@ @IPv4:i2:@->syscheck; Integrity checksum
> changed for: @QSTRING:s4:/'@</pattern>
>
> And here's the string I want to match on:
>
> Alert Level: 7; Rule: 550 - Integrity checksum changed.; Location:
> (agentname) 172.16.0.1->syscheck; Integrity checksum changed for:
> '/etc/fstab'
>
> The idea is to extract only 'fstab' (without the quotes). I have also
> tried 0x2f in place of / with similar results, and various attempts at
> escaping it have failed. Thanks.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list