[syslog-ng] Issue with pdbtool patterndb and percent symbols
Mark Shetka
mshetka at d.umn.edu
Wed Jan 29 15:40:09 CET 2014
I am setting up some patterns to parse Cisco syslog messages. I noticed
that pdbtool will not complete if I have a "%F" anywhere in the string.
Example log message:
%FWSM-1-109006: Authentication failed for user 'test' from 131.212.1.1/43250to
10.1.1.1/22 on interface management
This does not complete:
pdbtool match -p cisco.xml -M "%FWSM-1-109006: Authentication failed for
user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"
Nor does simply %F:
pdbtool match -p cisco.xml -M "%F"
It is fine without the %:
pdbtool match -p cisco.xml -M "FWSM-1-109006: Authentication failed for
user 'test' from 131.212.1.1/43250 to 10.1.1.1/22 on interface management"
MESSAGE=FWSM-1-109006: Authentication failed for user 'test' from
131.212.1.1/43250 to 10.1.1.1/22 on interface management
.classifier.class=login
.classifier.rule_id=5cfbcb23-cfe4-4120-85c1-918df65c0edc
usracct.username=test
usracct.device=131.212.1.1
usracct.service=22
usracct.type=login
usracct.sessionid=
usracct.application=
secevt.verdict=REJECT
TAGS=.classifier.login,usracct,secevt
It also seems to have issues with "%S", although not quite in the same way.
Any ideas what could be causing this?
Mark
--
Mark Shetka
Information Technology Systems & Services
University of Minnesota - Duluth
(218) 726-7682
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140129/52fa55bf/attachment.htm
More information about the syslog-ng
mailing list