<div>Nope, no luck yet. Still blanks being spit out. </div><div><br></div><div>Here's the exact extract of the pattern matching and the log:</div><div><br></div><div>Pattern String</div><div>---------------------------</div>
<div><br></div><div><div>@ESTRING:user::@ Security Microsoft Windows security auditing.: [Success Audit] A computer account was changed. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3e6 Computer Account That Was Changed: Security ID: @ESTRING:: @Account Name: @ESTRING:ACC_NAME: @ Account Domain: WW002 Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: @ESTRING:: @@ESTRING:: @ Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - (EventID 4742)</div>
</div><div><br></div><div>Log</div><div>------------------</div><div><br></div><div><div>Dec 22 03:38:32 <a href="http://Server.zoom11.test.net">Server.zoom11.test.net</a> Microsoft_Windows_security_auditing.[5784]: : Security Microsoft Windows security auditing.: [Success Audit] A computer account was changed. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3e6 Computer Account That Was Changed: Security ID: S-1-5-21-776561741-789336058-725345543-305444 Account Name: User1$ Account Domain: TEST Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 12/22/2011 3:38:32 AM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - (EventID 4742)</div>
</div><div><br></div><div><br></div><div><br></div><br><br><div class="gmail_quote">2011/12/22 Fekete Róbert <span dir="ltr"><<a href="mailto:frobert@balabit.hu">frobert@balabit.hu</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><br>
On Wednesday, December 21, 2011 16:22 CET, Anup Shetty <<a href="mailto:anupdshetty@gmail.com">anupdshetty@gmail.com</a>> wrote:<br>
<br>
> I am trying to match the pattern for DC logs and here is my XML format<br>
><br>
> Here's the patterndb.xml file at /opt/syslog-ng/var/patterndb.xml"<br>
> ---------------------------------------<br>
> <?xml version='1.0' encoding='UTF-8'?><br>
> <patterndb version='3' pub_date='2011-12-21'><br>
> <ruleset id='90c9b341f4e3d63c5ed8b29950491bf8' name='Domain Ctrls'><br>
> <rules><br>
> <rule provider='localtest' id='012c230f236d6a3f761ba956e7dff26a'<br>
> class='system'><br>
> <patterns><br>
> <pattern><br>
> @ESTRING:user::@ Security Microsoft Windows security auditing.: [Success<br>
> Audit] A computer account was changed. Subject: Security ID: S-1-5-7<br>
> Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon<br>
> ID: 0x3e6 Computer Account That Was Changed: Security ID: @ESTRING::<br>
</div>> @Account Name: @ESTRING:*ACC_NAME*: @ Account Domain: testdomain<br>
<div><div></div><div class="h5">> Changed Attributes: SAM Account Name: - Display Name: - User<br>
> Principal Name: - Home Directory: - Home Drive: - Script Path: -<br>
> Profile Path: - User Workstations: - Password Last Set: @ESTRING::<br>
> @@ESTRING:: @ Account Expires: - Primary Group ID: -<br>
> AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User<br>
> Account Control: - User Parameters: - SID History: - Logon Hours: -<br>
> DNS Host Name: - Service Principal Names: - Additional Information:<br>
> Privileges: - (EventID 4742)<br>
> </pattern><br>
> </patterns><br>
><br>
> </rule><br>
> </rules><br>
> </ruleset><br>
> </patterndb><br>
><br>
> ---------------------------------------<br>
> Here's the syslog-ng conf extract:<br>
> ---------------------------------------<br>
> parser pattern_db {<br>
> db_parser(<br>
> file("/opt/syslog-ng/var/patterndb.xml")<br>
> );<br>
> };<br>
> destination patt_d{<br>
> file("/data/test/${R_YEAR}/${R_MONTH}/${R_DAY}/Domain_Ctrl__${SOURCEIP}_${R_YEAR}_${R_MONTH}_${R_DAY}.log"<br>
> owner("test")<br>
> group("test")<br>
> perm(0660)<br>
> dir-owner("test")<br>
> dir-group("test")<br>
> dir-perm(0770)<br>
</div></div>> template("$*ACC_NAME*\n $MSG\n")<br>
> );<br>
> };<br>
><br>
> ---------------------------------<br>
><br>
> but the *ACC_NAME* returns blank, although the log contains that field.<br>
Hi,<br>
<br>
Try<br>
template("${ACC_NAME}\n $MSG\n")<br>
<br>
HTH,<br>
<br>
Robert<br>
<br>
><br>
><br>
> --<br>
> Thanks<br>
> Anup<br>
<br>
<br>
<br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Thanks and regards,<br>Anup</div><br>