<div dir="ltr"><div>Thanks Fabien</div><div> </div><div>That was very helpful.I cannot change the format as of now.</div><div>Can you provide me the pattern db for the messages sent like what to add in front of the message </div><div>example: what to put in place of timezone ,hostname, program etc.</div><div>especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047<br>> auth.notice] " rest of the message is written in the example you provided</div><div> </div><div>Regards</div><div>Kaladhar</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 30, 2014 at 10:47 AM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Justin,<br>
<span><br>
On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:<br>
> 2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047<br>
> auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2<br>
> 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047<br>
> auth.notice] Failed publickey for root from 100.200.255.02 port 59219 ssh2<br>
> 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047<br>
> auth.notice] Failed keyboard-interactive for root from 100.200.255.03 port<br>
> 65410 ssh2<br>
> 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258<br>
> auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed<br>
> - Invalid credentials<br>
<br>
</span>As it happens, these rules are already out there on github, you can just<br>
grab them [1]. That being said, you'll have a slight problem as you seem to<br>
be logging from Solaris machines, which unfortunately pollute the message<br>
with a msgid. You can either change the patterndb rules, or disable that<br>
IMHO useless feature by modifying /kernel/drv/log.conf and optionally<br>
using 'echo log_msgid/W0 | adb -kw' [2].<br>
<br>
Hope this helps<br>
<br>
[1] <a href="https://github.com/balabit/syslog-ng-patterndb" target="_blank">https://github.com/balabit/syslog-ng-patterndb</a><br>
[2] <a href="http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html" target="_blank">http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html</a><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br>Kaladhar
</div>