<div dir="ltr"><div>Fabien</div><div> </div><div> </div><div>This is the configuration I put and tried to print the classifier.class and classifier.if from db_parser and got the value as unknow in the log message.</div><div> </div><div>================================================================</div><div>log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(p_tmsgid);  parser(pattern_db);  destination (r_auth); };</div><p>#Source<br>source remote {<br>                       internal();<br>                       udp(ip(0.0.0.0) port(514));<br>                       };</p><p>#filter<br>filter f_auth   { facility (auth,user);   };</p><p>#parser01<br>parser p_drop_msgid {<br>     csv_parser(<br>       columns(<br>         &quot;dropme&quot;,<br>         &quot;EMSG&quot;<br>       )<br>       delimiters(&quot;]&quot;)<br>     );<br> };</p><p>#parser02<br>parser p_tmsgid {<br>     csv_parser(<br>       columns(<br>         &quot;EMSG01&quot;<br>       )<br>       delimiters(&quot;&quot;)<br>     template(&quot;${EMSG}&quot;));<br> };</p><p>#parser03<br>parser pattern_db {<br>            db_parser(<br>                file(&quot;/test/syslogs/script/parser/patterndb.xml&quot;)<br>            );<br>            };</p><p>#template 01<br>template t_msg_dbparser {template(&quot;${.classifier.class}|${.<a href="http://classifier.id">classifier.id</a>}\n&quot;); };</p><p><br>destination r_auth  {<br>file(&quot;/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR&quot;<br>owner(root) group(test) perm(0640)<br>#template (&quot;&lt;#|${EMSG01}|#&gt;\n&quot;)<br>template (t_msg_dbparser)<br>);<br> };</p><p> </p><p>&lt;?xml version=&#39;1.0&#39; encoding=&#39;UTF-8&#39;?&gt;<br>        &lt;patterndb version=&#39;3&#39; pub_date=&#39;2010-07-13&#39;&gt;<br>        &lt;ruleset name=&#39;sshd&#39; id=&#39;12345678&#39;&gt;<br>        &lt;description&gt;<br>        This ruleset covers the OpenSSH server.<br>        &lt;/description&gt;<br>        &lt;url&gt;<a href="http://www.openssh.com">www.openssh.com</a>&lt;/url&gt;<br>        &lt;pattern&gt;sshd&lt;/pattern&gt;<br>        &lt;rules&gt;</p><div> &lt;rule provider=&quot;patterndb&quot; id=&quot;aecda233-3d80-48cd-a72b-4896f58069c8&quot; class=&quot;system&quot;&gt;<br>        &lt;patterns&gt;<br>          &lt;pattern&gt;Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@&lt;/pattern&gt;<br>        &lt;/patterns&gt;<br>        &lt;examples&gt;<br>          &lt;example&gt;Failed password for kaladhar from 127.0.1.1 port 44637 ssh2&lt;/example&gt;<br>        &lt;/examples&gt;<br>        &lt;values&gt;<br>          &lt;value name=&quot;usracct.type&quot;&gt;login&lt;/value&gt;<br>          &lt;value name=&quot;usracct.sessionid&quot;&gt;$PID&lt;/value&gt;<br>          &lt;value name=&quot;usracct.application&quot;&gt;$PROGRAM&lt;/value&gt;<br>          &lt;value name=&quot;usracct.device&quot;&gt;${temp.src_ip}:${temp.src_port}&lt;/value&gt;<br>          &lt;value name=&quot;secevt.verdict&quot;&gt;REJECT&lt;/value&gt;<br>        &lt;/values&gt;<br>        &lt;tags&gt;<br>          &lt;tag&gt;usracct&lt;/tag&gt;<br>          &lt;tag&gt;secevt&lt;/tag&gt;<br>        &lt;/tags&gt;<br>&lt;/rule&gt;<br>        &lt;/rules&gt;<br>        &lt;/ruleset&gt;<br>        &lt;/patterndb&gt;</div><div> </div><div> </div><div>For this the log message is :</div><div>===========================================================</div><div><strong> cat messagesAuth.2014.10.02.16<br>unknown|<br>unknown|</strong><br>===========================================================</div><div> </div><div> </div><div>Thanks &amp; Regards</div><div>Justin Kala</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 2, 2014 at 10:38 AM, Justin Kala <span dir="ltr">&lt;<a href="mailto:justinkala@gmail.com" target="_blank">justinkala@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi </div><div> </div><div>This is how I configured and the Final Log Message</div><div>parser p_drop_msgid {<br>     csv_parser(<br>       columns(<br>         &quot;dropme&quot;,<br>         &quot;EMSG&quot;<br>       )<br>       delimiters(&quot;]&quot;)<br>     );<br> };</div><p>parser pattern_db {<br>            db_parser(<br>                file(&quot;/test/syslogs/script/parser/patterndb.xml&quot;)<br>            );<br>            };</p><p><br>destination r_auth  {<br>file(&quot;/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR&quot;<br>owner(root) group(salars) perm(0640)<br>template(&quot;&lt;#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#&gt;\n&quot;)<br>); <br> };</p><p><br>log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(pattern_db);  destination (r_auth); }; </p><p>Final Log message:</p><div>&lt;#|2014 Oct  1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234 from 100.200.300.10 port 59301 ssh2||#&gt;<br></div><div> </div><div>Thanks &amp; Regards</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <span dir="ltr">&lt;<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>&gt;</span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid" class="gmail_quote">Hi,<br>
<span><br>
On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:<br>
&gt; my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS<br>
&gt; OS..<br>
&gt;  is not using patterndb.xml db_parser i configured in syslog-ng.conf. I<br>
&gt; chopped off the message id content and the actual message  is sent to<br>
&gt; pattern-db parser but all the macro values that are referred from here are<br>
&gt; not getting populated in the final log<br>
<br>
</span>Can you elaborate on the nature of &quot;the final log&quot;?<br>
If you&#39;re simply using a file destination with default template, you won&#39;t<br>
see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and<br>
$MSG are shown. You need to explicitly do that in the template format.<br>
<div><div><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Kaladhar
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br>Kaladhar
</div>