This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Syslog-NG patternDB for Sophos Firewall

I'm currently trying to create a Pattern for the Firewall log of our Sophos Firewall.

I came up with this:

<ruleset name="sophos" id='10001'>
<pattern></pattern>
<rules>
    <rule provider="doesntmatter" class='10001' id='10001'>
        <patterns>
            <pattern>@ESTRING::action=@"@ESTRING:s0:@" fwrule="@NUMBER:i0:@" @ESTRING::srcip=@"@IPv4:i1:@" dstip="@IPv4:i2:@" @ESTRING::srcport@"@NUMBER:i3:@" dstport="@NUMBER:i4:@"</pattern>
        </patterns>
    </rule>
</rules>

The example message I'm using is:

05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="118" initf="eth0.666" outitf="ppp2" srcmac="*A MAC*" dstmac="*A MAC*" srcip="*IP*" dstip="*IP*" proto="17" length="105" tos="0x00" prec="0x00" ttl="127" srcport="50946" dstport="161"
I try matching it with pdbtool.TellTheBell This is the output:

Missing ESTRING parser parameters; type='ESTRING'
MESSAGE=05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id=2001 severity=info sys=SecureNet sub=packetfilter name=Packet
.classifier.class=unknown
TAGS=.classifier.unknown
 


This thread was automatically locked due to age.