Search pattern variables - intended usage documentation

SafeAF / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive

0 stars 0 forks source link

Search pattern variables - intended usage documentation #120

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

Where do i see the current search pattern variables and the intended usage?

ex.

QSTRING
ESTRING
IPv4        (
IPv6 (do you support ipv6?)
NUMBER
ANYSTRING

s0
s1
s2
i0
i1
i2
i3
i4
i4

Original issue reported on code.google.com by jacobrav...@gmail.com on 5 Apr 2013 at 8:26

GoogleCodeExporter commented 8 years ago

Do you mean for pattern writing?  The i0-s5 fields are documented in the 
elsa/node/Reader.pm library file.  The QSTRING etc. terms are essentially 
meaningless right now, except for IPv4 which is used to flag fields which 
should have the IP to integer conversion performed.  IPv6 is not currently 
normalized as I'm still looking for the best way to store it without changing 
the current database schema.  IPv6 terms would still be searchable like any 
other text and can be stored in a string field for reporting purposes.

Original comment by mchol...@gmail.com on 5 Apr 2013 at 2:14

Added labels: Type-Other
Removed labels: Type-Defect

GoogleCodeExporter commented 8 years ago

Are you able to use REGEXP expressions in your search patterns instead of 
{QSTRING, ESTRING, IPv4....}?

Original comment by jesper.s...@gmail.com on 8 Apr 2013 at 7:09

GoogleCodeExporter commented 8 years ago

You can use PCRE in combination with QSTRING/ESTRING, etc. in Syslog-NG 3.4 as 
documented here: 
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en
/syslog-ng-ose-v3.4-guide-admin-en/html/reference-patterndb-parsers.html .  
Note that right now, ELSA installs Syslog-NG 3.2 by default, so you will need 
to obtain 3.4 yourself.  Generally speaking, you don't need PCRE for most 
patterns.  Please let me know if you would like help writing a pattern.

Original comment by mchol...@gmail.com on 8 Apr 2013 at 2:13

GoogleCodeExporter commented 8 years ago

Could you please make pattern for this syslog message, and explain the pattern 
you make?

access-list Outside_access_in permitted tcp 
Outside/Outside-AAR-FW-WAPGuest-8.2.1.17(50748) -> 
DMZ2043-SYS-Hi_Ton/Outside-NAT-HT-Hellermann-Hi-Ton-8.2.14.17(80) hit-cnt 1 
first hit [0x281e5523, 0xb8883872]

Original comment by jacobrav...@gmail.com on 11 Apr 2013 at 8:12