Thanks Jim,<div><br></div><div>With this process would I not loose syslog-ng's buffer mechanism in case my destination is temporarily unavailable?</div><div>The other thing I fear would be to loose the IP address of the the source and end up with local address of the relay server if I pass back the logs from the script to a file and then back to the syslog-ng.</div>
<div><br></div><div>Another thought: is it possible to increment/decrement the characters, like in a Ceaser's cipher? So when username pattern it matched, it just increments it by a value defined and passes it on. In such case we would just need to remember the incremented value to regain the original.</div>
<div><br></div><div>so username "adh" becomes "bei" (each character incremented by 1)</div><div><br><div class="gmail_quote">On Wed, Dec 21, 2011 at 9:34 PM, Jim <span dir="ltr"><<a href="mailto:jrhendri@maine.rr.com">jrhendri@maine.rr.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Caveat: I have not done this (this is just a thought)<br>
<br>
Could you have syslog-ng send the appropriate logs to a program<br>
destination, and use the program to anonymize the data?<br>
<br>
For example, a Perl script could store the real values in a database /<br>
associative array, replacing them with randomized values.<br>
<br>
Then let the Perl script either write to a [file|pipe|socket] that<br>
syslog-ng would listen to and handle as if it were a real log.<br>
<br>
<log source> --> <syslog-ng> --> <perl script> --> syslog-ng --> <final<br>
destination><br>
<br>
Using berkeley db, the Perl script could preserve the mapping in a file,<br>
so if you needed to it would be a simple function to de-anonymize the<br>
logfile.<br>
<br>
Sounds a lot worse than it would be I imagine.<br>
<br>
(but then everything is easy for he who does not have to do it :-)<br>
<br>
Later,<br>
<font color="#888888">Jim<br>
</font><div><div></div><div class="h5"><br>
<br>
On Wed, 2011-12-21 at 14:17 +0100, Balazs Scheidler wrote:<br>
> On Wed, 2011-12-21 at 14:31 +0530, Anup Shetty wrote:<br>
> > I am new to syslog-ng and would like some help on the pattern matching<br>
> > and the substitution option. Currently the requirement is to<br>
> > substitute a parameter in the message with a random value in order to<br>
> > anonymize it.<br>
> ><br>
> > For example:<br>
> ><br>
> > Dec 31 23:13:25 servername sshd[25218]: Failed<br>
> > keyboard-interactive/pam for user1 from 10.x.x.x port 47325 ssh2<br>
> ><br>
> ><br>
> > If I create a pattern database for this message and pick out the<br>
> > username using the string and substitute it user1 to say anon1, will I<br>
> > be able to store the original-substituted value pair for this user and<br>
> > use it repeatedly?<br>
> > Would I be able to do it for all the subsequent logs?<br>
> ><br>
> ><br>
> > To be more clear, an example substitution process that must happen as<br>
> > the logs arrive and the patterns are matched.<br>
> > log with user1 arrives and is substituted by anon1<br>
> > log with user2 arrives and is substituted by anon2<br>
> > again log with user1 arrives and is again substituted by anon1<br>
> > log with user3 arrives and is substituted by anon3<br>
> > again log with user2 arrives and is again substituted by anon2<br>
> > .<br>
> > .<br>
> > .<br>
> > .<br>
> > This is required so that once the usernames are substituted for<br>
> > attaining anonymity, there must be a way to reverse them for audit<br>
> > purposes.<br>
><br>
> you want to do that on-the-fly or during postprocessing?<br>
><br>
> Right now it is not possible to do with patterndb only as it only<br>
> extracts information from messages and never changes them, but<br>
> anonimization has always been a hidden agenda of patterndb, which never<br>
> materialized.<br>
><br>
<br>
<br>
</div></div><div><div></div><div class="h5">______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Thanks and regards,<br>Anup</div><br>
</div>