<div dir="ltr"><div>Fabien</div><div> </div><div> </div><div>This is the configuration I put and tried to print the classifier.class and classifier.if from db_parser and got the value as unknow in the log message.</div><div> </div><div>================================================================</div><div>log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(p_tmsgid); parser(pattern_db); destination (r_auth); };</div><p>#Source<br>source remote {<br> internal();<br> udp(ip(0.0.0.0) port(514));<br> };</p><p>#filter<br>filter f_auth { facility (auth,user); };</p><p>#parser01<br>parser p_drop_msgid {<br> csv_parser(<br> columns(<br> "dropme",<br> "EMSG"<br> )<br> delimiters("]")<br> );<br> };</p><p>#parser02<br>parser p_tmsgid {<br> csv_parser(<br> columns(<br> "EMSG01"<br> )<br> delimiters("")<br> template("${EMSG}"));<br> };</p><p>#parser03<br>parser pattern_db {<br> db_parser(<br> file("/test/syslogs/script/parser/patterndb.xml")<br> );<br> };</p><p>#template 01<br>template t_msg_dbparser {template("${.classifier.class}|${.<a href="http://classifier.id">classifier.id</a>}\n"); };</p><p><br>destination r_auth {<br>file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"<br>owner(root) group(test) perm(0640)<br>#template ("<#|${EMSG01}|#>\n")<br>template (t_msg_dbparser)<br>);<br> };</p><p> </p><p><?xml version='1.0' encoding='UTF-8'?><br> <patterndb version='3' pub_date='2010-07-13'><br> <ruleset name='sshd' id='12345678'><br> <description><br> This ruleset covers the OpenSSH server.<br> </description><br> <url><a href="http://www.openssh.com">www.openssh.com</a></url><br> <pattern>sshd</pattern><br> <rules></p><div> <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8" class="system"><br> <patterns><br> <pattern>Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@</pattern><br> </patterns><br> <examples><br> <example>Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</example><br> </examples><br> <values><br> <value name="usracct.type">login</value><br> <value name="usracct.sessionid">$PID</value><br> <value name="usracct.application">$PROGRAM</value><br> <value name="usracct.device">${temp.src_ip}:${temp.src_port}</value><br> <value name="secevt.verdict">REJECT</value><br> </values><br> <tags><br> <tag>usracct</tag><br> <tag>secevt</tag><br> </tags><br></rule><br> </rules><br> </ruleset><br> </patterndb></div><div> </div><div> </div><div>For this the log message is :</div><div>===========================================================</div><div><strong> cat messagesAuth.2014.10.02.16<br>unknown|<br>unknown|</strong><br>===========================================================</div><div> </div><div> </div><div>Thanks & Regards</div><div>Justin Kala</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 2, 2014 at 10:38 AM, Justin Kala <span dir="ltr"><<a href="mailto:justinkala@gmail.com" target="_blank">justinkala@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi </div><div> </div><div>This is how I configured and the Final Log Message</div><div>parser p_drop_msgid {<br> csv_parser(<br> columns(<br> "dropme",<br> "EMSG"<br> )<br> delimiters("]")<br> );<br> };</div><p>parser pattern_db {<br> db_parser(<br> file("/test/syslogs/script/parser/patterndb.xml")<br> );<br> };</p><p><br>destination r_auth {<br>file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"<br>owner(root) group(salars) perm(0640)<br>template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n")<br>); <br> };</p><p><br>log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(pattern_db); destination (r_auth); }; </p><p>Final Log message:</p><div><#|2014 Oct 1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234 from 100.200.300.10 port 59301 ssh2||#><br></div><div> </div><div>Thanks & Regards</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">Hi,<br>
<span><br>
On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:<br>
> my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS<br>
> OS..<br>
> is not using patterndb.xml db_parser i configured in syslog-ng.conf. I<br>
> chopped off the message id content and the actual message is sent to<br>
> pattern-db parser but all the macro values that are referred from here are<br>
> not getting populated in the final log<br>
<br>
</span>Can you elaborate on the nature of "the final log"?<br>
If you're simply using a file destination with default template, you won't<br>
see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and<br>
$MSG are shown. You need to explicitly do that in the template format.<br>
<div><div><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Kaladhar
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br>Kaladhar
</div>