<div class="gmail_quote"><div>I cant execute those commands. Here's the error</div><div><br></div><div><div>Unknown command</div><div>Syntax: pdbtool <command> [options]</div><div>Possible commands are:</div><div>
match Match a message against the pattern database</div><div> dump Dump pattern datebase tree</div><div> merge Merge pattern databases</div><div> dictionary Dump pattern dictionary</div>
<div><br></div></div><div>Version</div><div><br></div><div><div>syslog-ng-premium-edition 3.2.1</div><div>Installer-Version: 3.2.1</div></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 22 Dec 2011 13:11:05 -0600<br>
From: Martin Holste <<a href="mailto:mcholste@gmail.com">mcholste@gmail.com</a>><br>
Subject: Re: [syslog-ng] Pattern matching.<br>
To: "Syslog-ng users' and developers' mailing list"<br>
<<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
Message-ID:<br>
<CANpnLHgau7bZrSP2ro0QY=<a href="mailto:a8ZcJZLyqJgAVegWufDuszOjuCMA@mail.gmail.com">a8ZcJZLyqJgAVegWufDuszOjuCMA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
You can also include an example pattern as part of the actual rule like this:<br>
<br>
<ruleset><br>
<program></program><br>
<rule id="2"><br>
<pattern>@ESTRING:user::@ Security Microsoft<br>
Windows security auditing.: [Success Audit] A computer account was<br>
changed. Subject: Security ID: S-1-5-7 Account Name:<br>
ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3e6<br>
Computer Account That Was Changed: Security ID: @ESTRING::<br>
@Account Name: @ESTRING:ACC_NAME: @ Account Domain: WW002<br>
Changed Attributes: SAM Account Name: - Display Name: - User<br>
Principal Name: - Home Directory: - Home Drive: - Script Path:<br>
- Profile Path: - User Workstations: - Password Last Set:<br>
@ESTRING:: @@ESTRING:: @ Account Expires: - Primary Group ID: -<br>
AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User<br>
Account Control: - User Parameters: - SID History: - Logon<br>
Hours: - DNS Host Name: - Service Principal Names: -<br>
Additional Information: Privileges: - (EventID 4742)</pattern><br>
<examples><br>
<example><br>
<test_message<br>
program="Microsoft_Windows_security_auditing.[5784]">: Security<br>
Microsoft Windows security auditing.: [Success Audit] A computer<br>
account was changed. Subject: Security ID: S-1-5-7 Account<br>
Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID:<br>
0x3e6 Computer Account That Was Changed: Security ID:<br>
S-1-5-21-776561741-789336058-725345543-305444 Account Name: User1$<br>
Account Domain: TEST Changed Attributes: SAM Account Name: -<br>
Display Name: - User Principal Name: - Home Directory: - Home<br>
Drive: - Script Path: - Profile Path: - User Workstations: -<br>
Password Last Set: 12/22/2011 3:38:32 AM Account Expires: -<br>
Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New<br>
UAC Value: - User Account Control: - User Parameters: - SID<br>
History: - Logon Hours: - DNS Host Name: - Service Principal<br>
Names: - Additional Information: Privileges: - (EventID<br>
4742)</test_message><br>
<test_value<br>
name="ACC_NAME">User1$</test_value><br>
</example><br>
</examples><br>
</rule><br>
</ruleset><br>
<br>
Then you can test it more easily like this:<br>
pdbtool test patterndb.xml<br>
<br>
On Thu, Dec 22, 2011 at 8:04 AM, Balazs Scheidler <<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>> wrote:<br>
> On Thu, 2011-12-22 at 14:31 +0530, Anup Shetty wrote:<br>
>> Nope, no luck yet. Still blanks being spit out.<br>
>><br>
>><br>
>> Here's the exact extract of the pattern matching and the log:<br>
>><br>
>><br>
>> Pattern String<br>
>> ---------------------------<br>
>><br>
>><br>
>> @ESTRING:user::@ Security Microsoft Windows security auditing.:<br>
>> [Success Audit] A computer account was changed. ? ?Subject: ? Security<br>
>> ID: ?S-1-5-7 ? Account Name: ?ANONYMOUS LOGON ? Account Domain: ?NT<br>
>> AUTHORITY ? Logon ID: ?0x3e6 ? ?Computer Account That Was Changed:<br>
>> Security ID: ?@ESTRING:: ?@Account Name: ? @ESTRING:ACC_NAME: @<br>
>> Account Domain: ?WW002 ? ?Changed Attributes: ? SAM Account Name: -<br>
>> Display Name: ?- ? User Principal Name: - ? Home Directory: ?- ? Home<br>
>> Drive: ?- ? Script Path: ?- ? Profile Path: ?- ? User Workstations: -<br>
>> Password Last Set: @ESTRING:: @@ESTRING:: @ ? Account Expires: ?-<br>
>> Primary Group ID: - ? AllowedToDelegateTo: - ? Old UAC Value: ?- ? New<br>
>> UAC Value: ?- ? User Account Control: - ? User Parameters: - ? SID<br>
>> History: ?- ? Logon Hours: ?- ? DNS Host Name: ?- ? Service Principal<br>
>> Names: - ? ?Additional Information: ? Privileges: ?- (EventID 4742)<br>
>><br>
>><br>
>> Log<br>
>> ------------------<br>
>><br>
>><br>
>> Dec 22 03:38:32 <a href="http://Server.zoom11.test.net" target="_blank">Server.zoom11.test.net</a><br>
>> Microsoft_Windows_security_auditing.[5784]: : Security Microsoft<br>
>> Windows security auditing.: [Success Audit] A computer account was<br>
>> changed. ? ?Subject: ? Security ID: ?S-1-5-7 ? Account Name:<br>
>> ?ANONYMOUS LOGON ? Account Domain: ?NT AUTHORITY ? Logon ID: ?0x3e6<br>
>> ?Computer Account That Was Changed: ? Security ID:<br>
>> ?S-1-5-21-776561741-789336058-725345543-305444 ? Account Name: ?User1$<br>
>> Account Domain: ?TEST ? ?Changed Attributes: ? SAM Account Name: -<br>
>> Display Name: ?- ? User Principal Name: - ? Home Directory: ?- ? Home<br>
>> Drive: ?- ? Script Path: ?- ? Profile Path: ?- ? User Workstations: -<br>
>> Password Last Set: 12/22/2011 3:38:32 AM ? Account Expires: ?-<br>
>> Primary Group ID: - ? AllowedToDelegateTo: - ? Old UAC Value: ?- ? New<br>
>> UAC Value: ?- ? User Account Control: - ? User Parameters: - ? SID<br>
>> History: ?- ? Logon Hours: ?- ? DNS Host Name: ?- ? Service Principal<br>
>> Names: - ? ?Additional Information: ? Privileges: ?- (EventID 4742)<br>
>><br>
>><br>
> "pdbtool match" can be used to test patterns.<br>
><br>
> pdbtool patch -p <path to xml file> -P '<appname>' -M '<msg>' --debug --color-out<br>
><br>
> This even colours the output so that the partial matches can be<br>
> recognized. This is the best way to troubleshoot patterns.<br>
><br>
> --<br>
> Bazsi<br>
><br>
><br></blockquote></div><br clear="all"><div><br></div>-- <br><div>Thanks and regards,<br>Anup</div>