<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><DIV>Hi </DIV>
<DIV>Thanks lot. your email was very usefull. </DIV>
<DIV>I have also general problem(not only syslog-ng), if you know, I want classify and extract log fields, lags can be syslog, snmp trap , ... Then normalize logs in IDMEF standard format.</DIV>
<DIV>I dont know how can i extract pattern form logs, I must check every log type separately?, using pattern recognition methods? or using pattern database (if exist for all aplication and device)? </DIV>
<DIV> </DIV>
<DIV>Thanks</DIV>
<DIV>regards </DIV>
<DIV> </DIV>
<DIV>Majid</DIV>
<DIV> </DIV>
<DIV><BR>--- On <B>Fri, 13/8/10, Robert Fekete <I><frobert@balabit.com></I></B> wrote:<BR></DIV>
<BLOCKQUOTE style="BORDER-LEFT: rgb(16,16,255) 2px solid; PADDING-LEFT: 5px; MARGIN-LEFT: 5px"><BR>From: Robert Fekete <frobert@balabit.com><BR>Subject: Re: [syslog-ng] Pattern extraction<BR>To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu><BR>Date: Friday, 13 August, 2010, 1:14 PM<BR><BR>
<DIV class=plainMail>Hi,<BR><BR>The syslog-ng pattern database is capable of extracting fields and classify log <BR>messages, and with well-structured name-value pairs you can achieve log <BR>normalization as well. However, currently there are not many well-written and <BR>tagged patterns available, so probably you'll have to create your own patterns.<BR><BR>You can find some sample patterns and a preliminary schema at the following git <BR>repository: <A href="http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=summary" target=_blank>http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=summary</A><BR>and some other, less-detailed patterns at <BR><A href="http://www.balabit.com/downloads/files/patterndb-snapshot/" target=_blank>http://www.balabit.com/downloads/files/patterndb-snapshot/</A><BR><BR>You might also want to check Bazsi's blog (<A href="http://bazsi.blogs.balabit.com/" target=_blank>http://bazsi.blogs.balabit.com</A>), it <BR>has a
number of interesting posts about patterndb, and of course the syslog-ng <BR>adminguide, in particular: <BR><A href="http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_pattern_databases.html" target=_blank>http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_pattern_databases.html</A> <BR> and<BR><A href="http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/reference_parsers_pattern_databases.html" target=_blank>http://www.balabit.com/dl/html/syslog-ng-ose-v3.1-guide-admin-en.html/reference_parsers_pattern_databases.html</A><BR><BR>Correlation has to be done with an external application based on the tags/fields <BR>you assign to your log messages - maybe others already using patterndb can help <BR>you with the details.<BR><BR>Regards,<BR><BR>Robert<BR><BR>majid as wrote:<BR><BR>> Hi<BR>> Thanks for replying and file.<BR>> I work on network management
project(Correlation of logs), my big problem is log classification and extract log field(normalization of logs). Do you have any idea for it? <BR>> <BR>> --- On Thu, 12/8/10, Robert Fekete <<A href="http://aa.mc631.mail.yahoo.com/mc/compose?to=frobert@balabit.com" ymailto="mailto:frobert@balabit.com">frobert@balabit.com</A>> wrote:<BR>> <BR>> <BR>> From: Robert Fekete <<A href="http://aa.mc631.mail.yahoo.com/mc/compose?to=frobert@balabit.com" ymailto="mailto:frobert@balabit.com">frobert@balabit.com</A>><BR>> Subject: Re: [syslog-ng] Pattern extraction<BR>> To: "Syslog-ng users' and developers' mailing list" <<A href="http://aa.mc631.mail.yahoo.com/mc/compose?to=syslog-ng@lists.balabit.hu" ymailto="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</A>><BR>> Date: Thursday, 12 August, 2010, 4:19 PM<BR>> <BR>> <BR>> majid as wrote:<BR>> <BR>>> Hi<BR>>> I have problem with pattern
extraction from syslog messages. can anyone help me how extract patterns?<BR>> <BR>> <BR>> Hi,<BR>> I assume you are trying to use the pattern database (db_parser()). My collegue, <BR>> Peter Holtzl has written a tutorial about it that you might find useful: <BR>> <A href="http://www.balabit.com/dl/white_papers/syslog-ng-v3.1-whitepaper-message-classification-en.pdf" target=_blank>http://www.balabit.com/dl/white_papers/syslog-ng-v3.1-whitepaper-message-classification-en.pdf</A><BR>> <BR>> Otherwise, please let us know exactly what you are trying to do, how, and what <BR>> the problem is so we can help you.<BR>> <BR>> Regards,<BR>> <BR>> Robert<BR>> <BR>>> <BR>>><BR>>><BR>>><BR>>><BR>>> ------------------------------------------------------------------------<BR>>><BR>>>
______________________________________________________________________________<BR>>> Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>>> Documentation: <A href="http://www.balabit.com/support/documentation/?product=syslog-ng" target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>>> FAQ: <A href="http://www.campin.net/syslog-ng/faq.html" target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>>><BR>> <BR>> ______________________________________________________________________________<BR>> Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>> Documentation: <A href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>> FAQ: <A href="http://www.campin.net/syslog-ng/faq.html" target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>> <BR>> <BR>> <BR>> <BR>> <BR>> <BR>> ------------------------------------------------------------------------<BR>> <BR>> ______________________________________________________________________________<BR>> Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>> Documentation: <A href="http://www.balabit.com/support/documentation/?product=syslog-ng" target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>> FAQ: <A href="http://www.campin.net/syslog-ng/faq.html" target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>>
<BR><BR>______________________________________________________________________________<BR>Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>Documentation: <A href="http://www.balabit.com/support/documentation/?product=syslog-ng" target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>FAQ: <A href="http://www.campin.net/syslog-ng/faq.html" target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR><BR></DIV></BLOCKQUOTE></td></tr></table><br>