[syslog-ng] Optional Parser Type Match
Michael Starks
syslog-ng-list at michaelstarks.com
Sat Jul 5 18:15:59 CEST 2014
Can a parser type be made to optionally match? For example, given the
message of 'DROP IN=vlan2 OUT=
MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4
DST=172.16.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=61318 PROTO=TCP
SPT=443 DPT=45872 SEQ=1548679084 ACK=0 WINDOW=0 RES=0x00 RST URGP' OUT=
may or may not be defined. I would like to match it if it exists with a
parser and maybe just set it to nul if it doesn't exist.
Similarly, in this message: 'DROP IN=vlan2 OUT=
MAC=48:5b:39:e8:44:c5:00:1d:5a:1c:37:b9:08:00:45:00:00:28 SRC=1.2.3.4
DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=3265 DF PROTO=TCP
SPT=443 DPT=44616 SEQ=880418731 ACK=0 WINDOW=0 RES=0x00 RST UR' the DF
field sometimes exists and sometimes doesn't.
Whenever I define something like 'DROP IN=@ESTRING:s1: @OUT=@ESTRING:s0:
@' the OUT= string doesn't match if there is no value.
More information about the syslog-ng
mailing list