0

I'm currently trying to create a Pattern for the Firewall log of our Sophos Firewall.

I came up with this: 

<ruleset name="sophos" id='10001'>
<pattern></pattern>
<rules>
    <rule provider="doesntmatter" class='10001' id='10001'>
        <patterns>
            <pattern>@ESTRING::action=@"@ESTRING:s0:@" fwrule="@NUMBER:i0:@" @ESTRING::srcip=@"@IPv4:i1:@" dstip="@IPv4:i2:@" @ESTRING::srcport@"@NUMBER:i3:@" dstport="@NUMBER:i4:@"</pattern>
        </patterns>
    </rule>
</rules>

The example message I'm using is:

05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="118" initf="eth0.666" outitf="ppp2" srcmac="*A MAC*" dstmac="*A MAC*" srcip="*IP*" dstip="*IP*" proto="17" length="105" tos="0x00" prec="0x00" ttl="127" srcport="50946" dstport="161"

I try matching it with pdbtool. This is the output:

 Missing ESTRING parser parameters; type='ESTRING'
MESSAGE=05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id=2001 severity=info sys=SecureNet sub=packetfilter name=Packet
.classifier.class=unknown
TAGS=.classifier.unknown
M.Reichardt
  • 1
  • @ESTRING@ needs a stopstring or a stopcharacter as a parameter. This is not optional. Give it a try with `@ESTRING::action=@"@ESTRING:s0:"@ fwrule=`. – MrAnno May 04 '16 at 07:51
  • Also, have a look at the `kv-parser()` plugin, maybe it's enough for this problem: https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#key-value-parser – MrAnno May 04 '16 at 07:59

0 Answers0