[syslog-ng] Separating Remote Logs

Nate Hausrath hausrath.mailing.list at gmail.com
Mon Jan 11 20:07:23 CET 2010 

Everything appears to work properly with the patterndb.xml file.
Dumping worked fine, and here is what happened when I matched:

# ./pdbtool match -p /opt/syslog-ng/var/patterndb.xml -P su -M "+
pts/2 root:nateh"
MESSAGE=+ pts/2 root:nateh
PROGRAM=su
.classifier.class=system
.classifier.rule_id=04ba999a-75fe-11dd-9bba-001e6806451b

However, when I use my custom XML file with a message that should
match, it doesn't work:

# ./pdbtool match -p /opt/syslog-ng/var/capcdb2.xml -P "MSWinEventLog"
-M "This is the message"
MESSAGE=This is the message
PROGRAM=MSWinEventLog
.classifier.class=unknown

Here is the relevant part in the XML:

     <ruleset name='win' id='2'>
                <pattern>MSWinEventLog</pattern>
                <rules>
                        <rule provider='capc' id='2' class='system'>
                                <description>Detects Windows logs from
Snare</description>
                                <patterns>
                                        <pattern></pattern>
                                </patterns>
                        </rule>
                </rules>
      </ruleset>

I'm assuming that leaving the <pattern> part blank should cause it to
match on anything with "MSWinEventLog", right?

Thanks!
-Nate

On Mon, Jan 11, 2010 at 10:33 AM, SZALAY Attila <sasa at balabit.hu> wrote:
> Hi!
>
> On Mon, 2010-01-11 at 09:55 -0500, Nate Hausrath wrote:
>>
>> Right now, the ASA logs are being placed in the other.log file, and no
>> other logs are being placed anywhere (even though I have verified they
>> are being received).  Just to reiterate, I'm trying to place the
>> Windows logs in a windows.log file, ASA logs in an asa.log file, and
>> everything else in the other.log file.
>
> You can try to match a log message with the given pattern ruleset with
> the pdbtool command.
>
> First try to dump the patterndb with the dump command
> pdbtool dump -p /opt/ssb/var/db/patterndb.xml -T
>
> Then check the programs:
>
> pdbtool dump -p /opt/ssb/var/db/patterndb.xml -P zcv
>
> After that (if everything is good) try to match a log message:
>
> pdbtool match -p /opt/ssb/var/db/patterndb.xml -P zcv -M "Iam the message part."
>
> Do not forget to set the program with the -P option.
>
> Is the pdbtool found the correct rule?
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list