[syslog-ng] quote characters (or other specials) in patterens?

Nick linickx at gmail.com
Thu Dec 19 14:49:54 CET 2013 

Hello,

How should I handle quote characters (or other specials) in patterens?

(To help with redering the examples below can be found here:
https://gist.github.com/linickx/8038784)

This works and will validate as expected (working.xml)...

<patterndb version='4' pub_date='2013-12-17'>
    <ruleset name='bluecoat' id='dd001'>
        <pattern>bluecoat</pattern>
            <rules>
                <rule provider='linickx' id='nbdd001' class='system'>
                    <patterns>

<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @</pattern>
                    </patterns>
                    <examples>
                        <example>
                            <test_message program="bluecoat">10:57:56
43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics"
http://googleads.g.doubleclick.net/mads/  200 TCP_CLIENT_REFRESH GET
image/png http pagead2.googlesyndication.com 80 /
pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux;
U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30
(KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile;
afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</t
est_message>
                            <test_values>
                                <test_value name="BC_HOUR">10</test_value>
                                <test_value name="BC_MIN">57</test_value>
                                <test_value name="BC_SEC">56</test_value>
                                <test_value name="BC_TIME_TAKEN">43</test_value>
                                <test_value
name="BC_CLIENT_ADDRESS">10.8.26.200</test_value>
                                <test_value
name="BC_ACTION">OBSERVED</test_value>
                            </test_values>
                       </example>
                    </examples>
                </rule>
            </rules>
    </ruleset>
</patterndb>

Simply by updating <pattern> with a quote for my next match (broken1.xml) ...

<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @ "</pattern>

... the whole thing bjorks (broken1_output.txt)...

[nick at localhost ~]$ pdbtool test --validate nick.xml
nick.xml validates
Key contains '@' without escaping; key='@"', value='nbdd001'
Testing message program='bluecoat' message='10:57:56 43 10.8.26.200 -
- - OBSERVED "Web Ads/Analytics"
http://googleads.g.doubleclick.net/mads/  200 TCP_CLIENT_REFRESH GET
image/png http pagead2.googlesyndication.com 80
/pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0
(Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D)
AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
(Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -'
 Wrong match name='.classifier.rule_id', value='', expected='nbdd001'
 Wrong match name='BC_HOUR', value='', expected='10'
 Wrong match name='BC_MIN', value='', expected='57'
 Wrong match name='BC_SEC', value='', expected='56'
 Wrong match name='BC_TIME_TAKEN', value='', expected='43'
 Wrong match name='BC_CLIENT_ADDRESS', value='', expected='10.8.26.200'
 Wrong match name='BC_ACTION', value='', expected='OBSERVED'
[nick at localhost ~]$

I have tried various escape methods...

(escape_traditional.xml)
<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @ \"</pattern>

or

(escape_at.xml)
<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @ @"</pattern>

I have tried various match methods...

(test_estring_stopquote.xml)
<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @ "@ESTRING:BC_CATEGORY:"@</pattern>
<test_value name="BC_CATEGORY">Web Ads/Analytics</test_value>

or

(test_estring_incquotes.xml)
<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @ @ESTRING:BC_CATEGORY: @</pattern>
<test_value name="BC_CATEGORY">"Web Ads/Analytics"</test_value>

or

(test_qstring.xml)
<pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@
@NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - -
@ESTRING:BC_ACTION: @ @QSTRING:BC_CATEGORY:"@</pattern>
<test_value name="BC_CATEGORY">Web Ads/Analytics</test_value>

But no joy! (same error output as above) Any pointers would be appreciated!

Testing carried out on:
> Fedora release 19 (Schrödinger’s Cat)
> syslog-ng-3.4.6-1.fc19.i686

Thanks in Advance,
Nick

More information about the syslog-ng mailing list