I'm currently trying to create a Pattern for the Firewall log of our Sophos Firewall.
I came up with this:
<ruleset name="sophos" id='10001'> <pattern></pattern> <rules> <rule provider="doesntmatter" class='10001' id='10001'> <patterns> <pattern>@ESTRING::action=@"@ESTRING:s0:@" fwrule="@NUMBER:i0:@" @ESTRING::srcip=@"@IPv4:i1:@" dstip="@IPv4:i2:@" @ESTRING::srcport@"@NUMBER:i3:@" dstport="@NUMBER:i4:@"</pattern> </patterns> </rule> </rules>
The example message I'm using is:
05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="118" initf="eth0.666" outitf="ppp2" srcmac="*A MAC*" dstmac="*A MAC*" srcip="*IP*" dstip="*IP*" proto="17" length="105" tos="0x00" prec="0x00" ttl="127" srcport="50946" dstport="161"
I try matching it with pdbtool.TellTheBell This is the output:
Missing ESTRING parser parameters; type='ESTRING'
MESSAGE=05:03-09:26:10 rim-utm-01-2 ulogd[8750]: id=2001 severity=info sys=SecureNet sub=packetfilter name=Packet
.classifier.class=unknown
TAGS=.classifier.unknown
This thread was automatically locked due to age.