[syslog-ng] Problem with a pattern in 3.6.4
C. L. Martinez
carlopmart at gmail.com
Thu Sep 3 15:53:40 CEST 2015
Hi all,
I am trying to configure a pattern for the following log entry in
syslog-ng 3.6.4:
idpsnort01 09/03-13:18:41.935109 [**] [3:19187:6] PROTOCOL-DNS TMG
Firewall Client long host entry exploit attempt [**] [Classification:
Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP}
80.58.61.250:53 -> 10.196.0.67:60941
My pattern is:
<pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@
@ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority
: @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@
@IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
If you try it, you can see it doesn't works. Problem is with the
following part of the message:
[Priority: 1] [AppID: dns]
I need to escape "] [AppID:" and catch "dns" field, but I have tried
some configs withut luck.
Any idea??
Many thanks.
More information about the syslog-ng
mailing list