[syslog-ng] Problem with a pattern in 3.6.4
Evan Rempel
erempel at uvic.ca
Thu Sep 3 17:09:32 CEST 2015
<pattern>@ESTRING:s3: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**]@ [Classification: @ESTRING:s2:]@ [Priority: @NUMBER:i0@] [AppID: @ESTRING:s4:]@ @QSTRING:i1:{}@ @IPv4:i2@:@NUMBER:i3@ -> @IPv4:i4@:@NUMBER:i5@</pattern>
On 09/03/2015 06:53 AM, C. L. Martinez wrote:
> Hi all,
>
> I am trying to configure a pattern for the following log entry in
> syslog-ng 3.6.4:
>
> idpsnort01 09/03-13:18:41.935109 [**] [3:19187:6] PROTOCOL-DNS TMG
> Firewall Client long host entry exploit attempt [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP}
> 80.58.61.250:53 -> 10.196.0.67:60941
>
> My pattern is:
>
> <pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@
> @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority
> : @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@
> @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
>
> If you try it, you can see it doesn't works. Problem is with the
> following part of the message:
>
> [Priority: 1] [AppID: dns]
>
> I need to escape "] [AppID:" and catch "dns" field, but I have tried
> some configs withut luck.
>
> Any idea??
>
> Many thanks.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
--
Evan Rempel erempel at uvic.ca
Senior Systems Administrator 250.721.7691
Data Centre Services, University Systems, University of Victoria
More information about the syslog-ng
mailing list