<div dir="ltr"><div><div><div><div><div><div><div><div>Hi Michael!<br><br></div>First, when using pdbtool for testing, you should specify -P "ssh" on command line, because your rule will only match if the program name is "ssh". Second, be careful with spaces and line breaks!<br>
</div>Patterndb patterns are very sensitive to white spaces and line breaks, if the log is a single line one, then your pattern shouldn't have any line break. In your case, the problem is with spaces.<br></div>In patterndb, there is no need to escape spaces, because they are taken literally: one space in the pattern means one space matching in the log. So you should delete the space after the "Accepted" word, and you should <br>
</div>delete an other space and the backslash after "from". With these modifications, I managed to match the line. So here is my pattern:<br><br><?xml version='1.0' encoding='UTF-8'?><br><patterndb version='4' pub_date='2010-10-17'><br>
<ruleset name='ssh' id='123456678'><br> <pattern>ssh</pattern><br> <rules><br> <rule provider='me' id='182437592347598' class='system'><br>
<patterns><br> <pattern>Accepted@QSTRING:SSH.AUTH_METHOD: @for@QSTRING:SSH_USERNAME: @from@QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern><br> </patterns><br>
</rule><br> </rules><br> </ruleset><br></patterndb><br><br></div>And the pdbtool line:<br><br>bin/pdbtool match -p /tmp/test.xml -P "ssh" -M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"<br>
<br></div>Hope I could help you.<br><br></div>Best Regards,<br></div>Viktor<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 1, 2014 at 11:49 PM, Michael Starks <span dir="ltr"><<a href="mailto:syslog-ng-list@michaelstarks.com" target="_blank">syslog-ng-list@michaelstarks.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">x-posted from ELSA mailing list; no replies there so please excuse the<br>
noise.<br>
<br>
I am trying to add an additional ASA log message that is unclassified in<br>
ELSA. To make a long story short, *nothing" seems to be matching with<br>
pdbtool. Here is the line I am trying to work with:<br>
<br>
Jun 23 00:00:05 192.168.1.4 %ASA-3-106100: access-list INOUT denied tcp<br>
inside/<a href="http://1.2.3.4" target="_blank">1.2.3.4</a>(64576) -> outside/<a href="http://5.6.7.8" target="_blank">5.6.7.8</a>(80) hit-cnt 1 first hit<br>
[0x59bca63e, 0x620e5b55]<br>
<br>
Putting that aside for the moment since I can't get it to work, I went<br>
straight to the syslog-ng docs<br>
(<a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb" target="_blank">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb</a>)<br>
and used the example. I created /etc/elsa/patterns.d/test.xml with this<br>
content:<br>
<br>
<patterndb version='4' pub_date='2010-10-17'><br>
<ruleset name='ssh' id='123456678'><br>
<pattern>ssh</pattern><br>
<rules><br>
<rule provider='me' id='182437592347598' class='system'><br>
<patterns><br>
<pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @<br>
for@QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port<br>
@NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
</patterndb><br>
<br>
I then tested with this line:<br>
<br>
/usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml<br>
-M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"<br>
<br>
The result is this:<br>
<br>
MESSAGE=Accepted password for sampleuser from 10.50.0.247 port 42156<br>
ssh2<br>
.classifier.class=unknown<br>
<br>
Details are:<br>
<br>
[root@hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V<br>
syslog-ng 3.2.4<br>
Installer-Version: 3.2.4<br>
Revision:<br>
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6<br>
Compile-Date: May 23 2012 09:58:14<br>
Enable-Threads: off<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-Sun-STREAMS: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: off<br>
Enable-TCP-Wrapper: off<br>
Enable-SSL: on<br>
Enable-SQL: off<br>
Enable-Linux-Caps: on<br>
Enable-Pcre: on<br>
Enable-Pacct: off<br>
<br>
[root@hostname elsa]# cat /etc/redhat-release<br>
Oracle Linux Server release 6.5<br>
<br>
Thank you in advance.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div>