One copy of the original logs is logged on to the disk and the anonimized copy gets forwarded.<br><br><div class="gmail_quote">On Wed, Dec 21, 2011 at 6:47 PM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div><div class="h5">On Wed, 2011-12-21 at 14:31 +0530, Anup Shetty wrote:<br>
> I am new to syslog-ng and would like some help on the pattern matching<br>
> and the substitution option. Currently the requirement is to<br>
> substitute a parameter in the message with a random value in order to<br>
> anonymize it.<br>
><br>
> For example:<br>
><br>
> Dec 31 23:13:25 servername sshd[25218]: Failed<br>
> keyboard-interactive/pam for user1 from 10.x.x.x port 47325 ssh2<br>
><br>
><br>
> If I create a pattern database for this message and pick out the<br>
> username using the string and substitute it user1 to say anon1, will I<br>
> be able to store the original-substituted value pair for this user and<br>
> use it repeatedly?<br>
> Would I be able to do it for all the subsequent logs?<br>
><br>
><br>
> To be more clear, an example substitution process that must happen as<br>
> the logs arrive and the patterns are matched.<br>
> log with user1 arrives and is substituted by anon1<br>
> log with user2 arrives and is substituted by anon2<br>
> again log with user1 arrives and is again substituted by anon1<br>
> log with user3 arrives and is substituted by anon3<br>
> again log with user2 arrives and is again substituted by anon2<br>
> .<br>
> .<br>
> .<br>
> .<br>
> This is required so that once the usernames are substituted for<br>
> attaining anonymity, there must be a way to reverse them for audit<br>
> purposes.<br>
<br>
</div></div>you want to do that on-the-fly or during postprocessing?<br>
<br>
Right now it is not possible to do with patterndb only as it only<br>
extracts information from messages and never changes them, but<br>
anonimization has always been a hidden agenda of patterndb, which never<br>
materialized.<br>
<font color="#888888"><br>
--<br>
Bazsi<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</font></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Thanks</div><div>Anup</div><br>