netniV
commented
4 years ago Have you set the match type?
Closed jdcoats closed 4 years ago
netniV
commented
4 years ago Have you set the match type?
netniV
commented
4 years ago Forget that, just seen it in the title, not the post 👍
netniV
commented
4 years ago So, the like statement should be correct.
sudo -u www-data php -a
Interactive mode enabled
php > include 'include/cli_check.php';
php > $m="message like '%SEC_LOGIN-%' AND host like '10.255.254%'";
php > echo db_qstr($m);
'message like \'%SEC_LOGIN-%\' AND host like \'10.255.254%\''However, I think that would fail here because the single quotes would be escaped:
} else if ($alert['type'] == 'sql') {
$sql = 'SELECT * FROM `' . $syslogdb_default . '`.`syslog_incoming`
WHERE (' . db_qstr($alert['message']) . ')
AND status=' . $uniqueID;
}
cigamit
commented
4 years ago I guess this has everything to do with the db_qstr() call. It's breaking what the user is attempting to accomplish. We can pull out the db_qstr() and then this would work as expected.
cigamit
commented
4 years ago This is resolved now.
I'm trying to create a rule based on host & message. I've tried various syntax and cannot get it to trigger the alert. What is the correct way if what I am trying is incorrect?
message like '%SEC_LOGIN-%' AND host like '10.255.254%'message rlike '%SEC_LOGIN-%' AND host rlike '10.255.254%'