<div dir="ltr">Hi Fabien<div><br></div><div>I was able to do like you mentioned.</div><div><div><br></div><div>I have another problem now.</div><div>my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS..</div><div> is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log</div><div><br></div><div><div> <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8" class="system"></div><div> <patterns></div><div> <pattern>Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@</pattern></div><div> </patterns></div><div> <examples></div><div> <example>Failed password for bazsi from 127.0.1.1 port 44637 ssh2</example></div><div> </examples></div><div> <values></div><div> <value name="usracct.type">login</value></div><div> <value name="usracct.sessionid">$PID</value></div><div> <value name="usracct.application">$PROGRAM</value></div><div> <value name="usracct.device">${temp.src_ip}:${temp.src_port}</value></div><div> <value name="secevt.verdict">REJECT</value></div><div> </values></div><div> <tags></div><div> <tag>usracct</tag></div><div> <tag>secevt</tag></div><div> </tags></div><div> </rule></div></div><div> <br></div></div><div><br></div><div>Can you help on this??</div><div><br></div><div>Highly appreciate the support and response you been giving</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 1, 2014 at 7:59 AM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi again,<br>
<span class=""><br>
On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:<br>
> How can I chop that content and pass it to the db-parser??<br>
<br>
</span>There's multiple ways I can think of: using rewrite rules or a dedicated<br>
parser. The way I do it in production for a similar use case, is using a<br>
csv-parser. If your syslog-ng version allows it, I'd highly recommend<br>
putting the parser inside your source definition. That way you'll be able to<br>
remove the parser once you don't need it anymore (after fixing the Solaris<br>
config). Here's an untested snippet for you that should help you progress:<br>
<br>
source s_solaris {<br>
channel {<br>
source {<br>
network(<br>
transport(udp)<br>
port(514)<br>
flags(syslog-protocol)<br>
);<br>
};<br>
parser (p_drop_msgid);<br>
};<br>
};<br>
<br>
parser p_drop_msgid {<br>
csv_parser(<br>
columns(<br>
"dropme"<br>
"MESSAGE"<br>
)<br>
delimiters(" ")<br>
flags(greedy)<br>
quote-pairs('[]')<br>
);<br>
};<br>
<br>
The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into<br>
macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your<br>
patterndb parser.<br>
<span class=""><br>
> Also how to handle different values like if authentication method can be<br>
> password, public key, none, keyboard interactive. How do I put the values<br>
> in the pattern-db rule.do I keep adding them in example tag of the rule..<br>
<br>
</span>That's already being handled in one of the pdb files on github [1].<br>
<br>
[1] <a href="https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb" target="_blank">https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb</a><br>
<br>
Cheers<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Kaladhar
</div>