[syslog-ng] Problem with a pattern in 3.6.4

C. L. Martinez carlopmart at gmail.com
Fri Sep 4 09:01:15 CEST 2015 

Many thanks Evan. It works!.

On Thu, Sep 3, 2015 at 3:09 PM, Evan Rempel <erempel at uvic.ca> wrote:
>
> <pattern>@ESTRING:s3:  @@ESTRING::  [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**]@ [Classification: @ESTRING:s2:]@ [Priority: @NUMBER:i0@] [AppID: @ESTRING:s4:]@ @QSTRING:i1:{}@ @IPv4:i2@:@NUMBER:i3@ -> @IPv4:i4@:@NUMBER:i5@</pattern>
>
>
>
> On 09/03/2015 06:53 AM, C. L. Martinez wrote:
>> Hi all,
>>
>>   I am trying to configure a pattern for the following log entry in
>> syslog-ng 3.6.4:
>>
>> idpsnort01  09/03-13:18:41.935109  [**] [3:19187:6] PROTOCOL-DNS TMG
>> Firewall Client long host entry exploit attempt [**] [Classification:
>> Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP}
>> 80.58.61.250:53 -> 10.196.0.67:60941
>>
>>   My pattern is:
>>
>> <pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@
>> @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority
>> : @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@
>> @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
>>
>>   If you try it, you can see it doesn't works. Problem is with the
>> following part of the message:
>>
>> [Priority: 1] [AppID: dns]
>>
>>   I need to escape "] [AppID:" and catch "dns" field, but I have tried
>> some configs withut luck.
>>
>> Any idea??
>>
>> Many thanks.
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
> --
> Evan Rempel                                      erempel at uvic.ca
> Senior Systems Administrator                        250.721.7691
> Data Centre Services, University Systems, University of Victoria
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list