[syslog-ng] need help with pattern, get .classifier.class=unknown

Balint Kovacs balint.kovacs at balabit.com
Thu Feb 14 15:32:37 CET 2013 

Hi,

On 02/14/2013 03:26 PM, Stefan Sabolowitsch wrote:
> Hi all,
> i use the net screen pattern
>
> the ruleset:
>
>      <ruleset name="NetScreen" id='1001'>
>          <pattern>fw</pattern>
>          <rules>
>              <rule provider="ELSA" class='1001' id='1001'>
>                  <patterns>
>                      <pattern>NetScreen device_id=@ESTRING:s0: @@ESTRING:: @start_time="@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:i0: @service=@ESTRING:s1: @proto=@ESTRING:: @src zone=@ESTRING:s2: @dst zone=@ESTRING:s3: @action=@ESTRING:s4: @sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i2: @src_port=@ESTRING:i3: @dst_port=@ESTRING:i4: @session_id=@ESTRING:: @reason=Traffic Denied</pattern>
>                  </patterns>
>                  <examples>
>                      <example>
>                          <test_message program="NetScreen deny">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message>
>                          <!-- device -->
>                          <test_value name="s0">fw</test_value>
>                          <!-- policy id-->
>                          <test_value name="i0">10005</test_value>
>                          <!-- service -->
>                          <test_value name="s1">http</test_value>
>                          <!-- src zone -->
>                          <test_value name="s2">OUT</test_value>
>                          <!-- dst zone -->
>                          <test_value name="s3">IN</test_value>
>                          <!-- action -->
>                          <test_value name="s4">Deny</test_value>
>                          <!-- src -->
>                          <test_value name="i1">192.168.0.1</test_value>
>                          <!-- dst -->
>                          <test_value name="i2">192.168.1.1</test_value>
>                          <!-- src_port -->
>                          <test_value name="i3">51271</test_value>
>                          <!-- dst_port-->
>                          <test_value name="i4">80</test_value>
>                      </example>
>                  </examples>
>              </rule>
>          </rules>
>      </ruleset>
>
> but i get this error :
>
> /usr/local/syslog-ng/bin/pdbtool match -c -D -v -p /usr/local/elsa/node/conf/patterndb.xml -P fw -M "NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied"
The problem should lie here, you are using the same quotation char in 
the shell as in the message to be matched, so it is swallowed by bash. 
Try using single quotes and it should work like this:

blint at lyra:~$ pdbtool match -c -D -v -p /tmp/netscreen.xml -P fw -M 
'NetScreen device_id=fw [Root]system-notification-00257(traffic): 
start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http 
proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 
src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 
reason=Traffic Denied'
Pattern matching part:
NetScreen 
device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time="@ESTRING:None=2012-10-02 
09:46:20@ 
duration=@ESTRING:None=0 at policy_id=@ESTRING:i0=10005 at service=@ESTRING:s1=http at proto=@ESTRING:None=6 at src 
zone=@ESTRING:s2=OUT at dst 
zone=@ESTRING:s3=IN at action=@ESTRING:s4=Deny at sent=@ESTRING:None=0 at rcvd=@ESTRING:None=40 at src=@ESTRING:i1=192.168.0.1 at dst=@ESTRING:i2=192.168.1.1 at src_port=@ESTRING:i3=51271 at dst_port=@ESTRING:i4=80 at session_id=@ESTRING:None=0 at reason=Traffic 
Denied
Matching part:
NetScreen device_id=fw [Root]system-notification-00257(traffic): 
start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http 
proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 
src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 
reason=Traffic Denied
Values:
MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): 
start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http 
proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 
src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 
reason=Traffic Denied
PROGRAM=fw
.classifier.class=1001
.classifier.rule_id=1001
s0=fw
i0=10005
s1=http
s2=OUT
s3=IN
s4=Deny
i1=192.168.0.1
i2=192.168.1.1
i3=51271
i4=80
TAGS=


> Pattern matching part:
> NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time=2012-10-02
> Matching part:
> NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=
> Values:
> MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=2012-10-02
> PROGRAM=fw
> .classifier.class=unknown
>
> Any help here
> thanks Stefan
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
Balint

More information about the syslog-ng mailing list