[syslog-ng] need help with pattern, get .classifier.class=unknown
Stefan Sabolowitsch
Stefan.Sabolowitsch at felten-group.com
Thu Feb 14 15:37:18 CET 2013
Ahhh, big thank :)
Stefan
Am 14.02.2013 um 15:32 schrieb Balint Kovacs <balint.kovacs at balabit.com>
:
> Hi,
>
> On 02/14/2013 03:26 PM, Stefan Sabolowitsch wrote:
>> Hi all,
>> i use the net screen pattern
>>
>> the ruleset:
>>
>> <ruleset name="NetScreen" id='1001'>
>> <pattern>fw</pattern>
>> <rules>
>> <rule provider="ELSA" class='1001' id='1001'>
>> <patterns>
>> <pattern>NetScreen device_id=@ESTRING:s0: @@ESTRING:: @start_time="@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:i0: @service=@ESTRING:s1: @proto=@ESTRING:: @src zone=@ESTRING:s2: @dst zone=@ESTRING:s3: @action=@ESTRING:s4: @sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i2: @src_port=@ESTRING:i3: @dst_port=@ESTRING:i4: @session_id=@ESTRING:: @reason=Traffic Denied</pattern>
>> </patterns>
>> <examples>
>> <example>
>> <test_message program="NetScreen deny">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message>
>> <!-- device -->
>> <test_value name="s0">fw</test_value>
>> <!-- policy id-->
>> <test_value name="i0">10005</test_value>
>> <!-- service -->
>> <test_value name="s1">http</test_value>
>> <!-- src zone -->
>> <test_value name="s2">OUT</test_value>
>> <!-- dst zone -->
>> <test_value name="s3">IN</test_value>
>> <!-- action -->
>> <test_value name="s4">Deny</test_value>
>> <!-- src -->
>> <test_value name="i1">192.168.0.1</test_value>
>> <!-- dst -->
>> <test_value name="i2">192.168.1.1</test_value>
>> <!-- src_port -->
>> <test_value name="i3">51271</test_value>
>> <!-- dst_port-->
>> <test_value name="i4">80</test_value>
>> </example>
>> </examples>
>> </rule>
>> </rules>
>> </ruleset>
>>
>> but i get this error :
>>
>> /usr/local/syslog-ng/bin/pdbtool match -c -D -v -p /usr/local/elsa/node/conf/patterndb.xml -P fw -M "NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied"
> The problem should lie here, you are using the same quotation char in
> the shell as in the message to be matched, so it is swallowed by bash.
> Try using single quotes and it should work like this:
>
> blint at lyra:~$ pdbtool match -c -D -v -p /tmp/netscreen.xml -P fw -M
> 'NetScreen device_id=fw [Root]system-notification-00257(traffic):
> start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http
> proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40
> src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0
> reason=Traffic Denied'
> Pattern matching part:
> NetScreen
> device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time="@ESTRING:None=2012-10-02
> 09:46:20@
> duration=@ESTRING:None=0 at policy_id=@ESTRING:i0=10005 at service=@ESTRING:s1=http at proto=@ESTRING:None=6 at src
> zone=@ESTRING:s2=OUT at dst
> zone=@ESTRING:s3=IN at action=@ESTRING:s4=Deny at sent=@ESTRING:None=0 at rcvd=@ESTRING:None=40 at src=@ESTRING:i1=192.168.0.1 at dst=@ESTRING:i2=192.168.1.1 at src_port=@ESTRING:i3=51271 at dst_port=@ESTRING:i4=80 at session_id=@ESTRING:None=0 at reason=Traffic
> Denied
> Matching part:
> NetScreen device_id=fw [Root]system-notification-00257(traffic):
> start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http
> proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40
> src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0
> reason=Traffic Denied
> Values:
> MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic):
> start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http
> proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40
> src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0
> reason=Traffic Denied
> PROGRAM=fw
> .classifier.class=1001
> .classifier.rule_id=1001
> s0=fw
> i0=10005
> s1=http
> s2=OUT
> s3=IN
> s4=Deny
> i1=192.168.0.1
> i2=192.168.1.1
> i3=51271
> i4=80
> TAGS=
>
>
>> Pattern matching part:
>> NetScreen device_id=@ESTRING:s0=fw@@ESTRING:None=[Root]system-notification-00257(traffic):@start_time=2012-10-02
>> Matching part:
>> NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=
>> Values:
>> MESSAGE=NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time=2012-10-02
>> PROGRAM=fw
>> .classifier.class=unknown
>>
>> Any help here
>> thanks Stefan
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> Balint
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
More information about the syslog-ng
mailing list