[syslog-ng] Separating Remote Logs

Martin Holste mcholste at gmail.com
Tue Jan 12 02:41:54 CET 2010 

Class=unknown is a bad sign for that, so it must not be working
properly.  Here's an excerpt from my V2 patterndb, but I use a pipe as
a delimiter in my Snare configuration:

<patterndb version='2' pub_date='2009-11-04'>
        <ruleset name="FWSM" id='2'>
                <pattern>%FWSM</pattern>
                <rules>
                        <rule provider="me" class='2' id='2'>
                                <patterns>
                                        <pattern>Deny at QSTRING:i0:
@src at QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst at QSTRING:s1:
:@@IPv4:i3:@/@NUMBER:i4:@ by access-gro
up @QSTRING:s2:"@</pattern>
                                </patterns>
                        </rule>
                        <rule provider="me" class='3' id='3'>
                                <patterns>
                                        <pattern>Teardown at QSTRING:i0:
@connection @NUMBER::@ for at QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@
to at QSTRING:s1: :@@IPv4:i3:@/@
NUMBER:i4:@ duration at QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
                                </patterns>
                        </rule>
                </rules>
        </ruleset>
        <ruleset name="Windows" id='4'>
                <pattern>MSWinEventLog</pattern>
                <rules>
                        <rule provider="me" class='4' id='4'>
                                <patterns>
                                        <pattern>@STRING::@ @NUMBER::@
@NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@      @ESTRING:i0:
@@ESTRING:s0:   @@ESTRING:s1
:   @@ESTRING:s2:   @@ESTRING:s3:   @@ESTRING:s4:   @@ESTRING:s5:
@@ESTRING::     @@ESTRING::     @</pattern>
                                        <pattern>@STRING::@ @NUMBER::@
@NUMBER::@:@NUMBER::@:@NUMBER::@
@NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:
:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@|Logon Failure:@ESTRING::
     @Reason:                @ESTRING:s2:    @User Name:
@ESTRING:s1: @</pattern>
                                        <pattern>@STRING::@ @NUMBER::@
@NUMBER::@:@NUMBER::@:@NUMBER::@
@NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRIN
G:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@</pattern>
                                </patterns>
                        </rule>
                </rules>
        </ruleset>
</patterndb>

--Martin

On Mon, Jan 11, 2010 at 1:07 PM, Nate Hausrath
<hausrath.mailing.list at gmail.com> wrote:
> Everything appears to work properly with the patterndb.xml file.
> Dumping worked fine, and here is what happened when I matched:
>
> # ./pdbtool match -p /opt/syslog-ng/var/patterndb.xml -P su -M "+
> pts/2 root:nateh"
> MESSAGE=+ pts/2 root:nateh
> PROGRAM=su
> .classifier.class=system
> .classifier.rule_id=04ba999a-75fe-11dd-9bba-001e6806451b
>
> However, when I use my custom XML file with a message that should
> match, it doesn't work:
>
> # ./pdbtool match -p /opt/syslog-ng/var/capcdb2.xml -P "MSWinEventLog"
> -M "This is the message"
> MESSAGE=This is the message
> PROGRAM=MSWinEventLog
> .classifier.class=unknown
>
> Here is the relevant part in the XML:
>
>     <ruleset name='win' id='2'>
>                <pattern>MSWinEventLog</pattern>
>                <rules>
>                        <rule provider='capc' id='2' class='system'>
>                                <description>Detects Windows logs from
> Snare</description>
>                                <patterns>
>                                        <pattern></pattern>
>                                </patterns>
>                        </rule>
>                </rules>
>      </ruleset>
>
> I'm assuming that leaving the <pattern> part blank should cause it to
> match on anything with "MSWinEventLog", right?
>
> Thanks!
> -Nate
>
> On Mon, Jan 11, 2010 at 10:33 AM, SZALAY Attila <sasa at balabit.hu> wrote:
>> Hi!
>>
>> On Mon, 2010-01-11 at 09:55 -0500, Nate Hausrath wrote:
>>>
>>> Right now, the ASA logs are being placed in the other.log file, and no
>>> other logs are being placed anywhere (even though I have verified they
>>> are being received).  Just to reiterate, I'm trying to place the
>>> Windows logs in a windows.log file, ASA logs in an asa.log file, and
>>> everything else in the other.log file.
>>
>> You can try to match a log message with the given pattern ruleset with
>> the pdbtool command.
>>
>> First try to dump the patterndb with the dump command
>> pdbtool dump -p /opt/ssb/var/db/patterndb.xml -T
>>
>> Then check the programs:
>>
>> pdbtool dump -p /opt/ssb/var/db/patterndb.xml -P zcv
>>
>> After that (if everything is good) try to match a log message:
>>
>> pdbtool match -p /opt/ssb/var/db/patterndb.xml -P zcv -M "Iam the message part."
>>
>> Do not forget to set the program with the -P option.
>>
>> Is the pdbtool found the correct rule?
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list