<p dir="ltr">True..<br>
How can I chop that content and pass it to the db-parser??<br>
Also how to handle different values like if authentication method can be password, public key, none, keyboard interactive. How do I put the values in the pattern-db rule.do I keep adding them in example tag of the rule..</p>
<p dir="ltr">Thankyou very much for the quick response. </p>
<p dir="ltr">I m a trying to get onboard :)</p>
<div class="gmail_quote">On Sep 30, 2014 3:34 PM, "Fabien Wernli" <<a href="mailto:wernli@in2p3.fr">wernli@in2p3.fr</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi again,<br>
<br>
On Tue, Sep 30, 2014 at 03:04:32PM -0400, Justin Kala wrote:<br>
> example: what to put in place of timezone ,hostname, program etc.<br>
> especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app<br>
> sshd[11019]: [ID 800047<br>
> > auth.notice] " rest of the message is written in the example you provided<br>
<br>
First things first, you shouldn't need to worry about date, host and<br>
program: they are automatically being parsed by syslog-ng and cast<br>
respectively into the macros $DATE, $HOST, and $PROGRAM. The latter is being used by patterndb to separate rulesets. So in<br>
your example, $PROGRAM=sshd, $MSG=[ID 800047 auth.notice] ...<br>
<br>
Secondly, if I were you, I wouldn't touch the patterndb: I'd rather rewrite<br>
all messages to drop the annoying prefix, and only then pass the result to<br>
the dbparser.<br>
<br>
If you don't know how to do that, I can be of further assistance :-)<br>
<br>
cheers<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>