Last active
December 31, 2015 20:18
-
-
Save linickx/8038784 to your computer and use it in GitHub Desktop.
Playing is syslog-ng patterns (quotes and bluecoat)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @ "</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [nick@localhost ~]$ pdbtool test --validate nick.xml | |
| nick.xml validates | |
| Key contains '@' without escaping; key='@"', value='nbdd001' | |
| Testing message program='bluecoat' message='10:57:56 43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -' | |
| Wrong match name='.classifier.rule_id', value='', expected='nbdd001' | |
| Wrong match name='BC_HOUR', value='', expected='10' | |
| Wrong match name='BC_MIN', value='', expected='57' | |
| Wrong match name='BC_SEC', value='', expected='56' | |
| Wrong match name='BC_TIME_TAKEN', value='', expected='43' | |
| Wrong match name='BC_CLIENT_ADDRESS', value='', expected='10.8.26.200' | |
| Wrong match name='BC_ACTION', value='', expected='OBSERVED' | |
| [nick@localhost ~]$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @ @"</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @ \"</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @ @ESTRING:BC_CATEGORY: @</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43l 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| <test_value name="BC_CATEGORY">"Web Ads/Analytics"</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @ "@ESTRING:BC_CATEGORY:"@</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| <test_value name="BC_CATEGORY">Web Ads/Analytics</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @ @QSTRING:BC_CATEGORY:"@</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43l 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| <test_value name="BC_CATEGORY">Web Ads/Analytics</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <patterndb version='4' pub_date='2013-12-17'> | |
| <ruleset name='bluecoat' id='dd001'> | |
| <pattern>bluecoat</pattern> | |
| <rules> | |
| <rule provider='linickx' id='nbdd001' class='system'> | |
| <patterns> | |
| <pattern>@NUMBER:BC_HOUR:@:@NUMBER:BC_MIN:@:@NUMBER:BC_SEC:@ @NUMBER:BC_TIME_TAKEN:@ @IPv4:BC_CLIENT_ADDRESS:@ - - - @ESTRING:BC_ACTION: @</pattern> | |
| </patterns> | |
| <examples> | |
| <example> | |
| <test_message program="bluecoat">10:57:56 43 10.8.26.200 - - - OBSERVED "Web Ads/Analytics" http://googleads.g.doubleclick.net/mads/ 200 TCP_CLIENT_REFRESH GET image/png http pagead2.googlesyndication.com 80 /pagead/images/nessie_icon_chevron_white.png - png "Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; P76a(K3G5) Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 (Mobile; afma-sdk-a-v6.2.1)" 10.8.24.5 724 1277 -</test_message> | |
| <test_values> | |
| <test_value name="BC_HOUR">10</test_value> | |
| <test_value name="BC_MIN">57</test_value> | |
| <test_value name="BC_SEC">56</test_value> | |
| <test_value name="BC_TIME_TAKEN">43</test_value> | |
| <test_value name="BC_CLIENT_ADDRESS">10.8.26.200</test_value> | |
| <test_value name="BC_ACTION">OBSERVED</test_value> | |
| <test_value name="BC_CATEGORY">"Web Ads/Analytics"</test_value> | |
| </test_values> | |
| </example> | |
| </examples> | |
| </rule> | |
| </rules> | |
| </ruleset> | |
| </patterndb> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment