[syslog-ng] Convert rewrite rules (regex) to patterndb
Clayton Dukes
cdukes at logzilla.net
Wed Jan 25 22:29:08 UTC 2017
Hi All,
Are there any tools/scripts anyone has written that will convert regex to patterndb types of matches?
So, given some rewrite rule from the "old" way of doing it, convert that rule to a pdb file.
Like:
filter f_asa { match(
'(.*?):?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*?)(\).*?)?:?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*?)(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*)'
value("MESSAGE") type("pcre") flags("store-matches" "ignore-case")
);
rewrite rw_cisco {
set( "$1 SourceIP: $2 SourcePort:$3 $4 $5DestIP: $6 DestPort:$7 $8 SourceIP: $9 SourcePort:$10 $11" , value("MESSAGE") condition(filter(f_asa)));
};
Convert to something like:
<pattern>%ASA-6-305011: Built dynamic TCP translation from inside:@IPv4:src_ip@/@NUMBER:src_port@ to Outside:@IPv4:dst_ip@/@NUMBER:dst_port@</pattern>
Note: the above is just an example, the regex may not be the same as the actual <pattern> - I just copy pasted from different files to show an example.
[cid:image001.png at 01D27730.889CAAF0]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170125/fa93667b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14195 bytes
Desc: image001.png
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170125/fa93667b/attachment-0001.png>
More information about the syslog-ng
mailing list