Everything appears to work properly with the patterndb.xml file. Dumping worked fine, and here is what happened when I matched: # ./pdbtool match -p /opt/syslog-ng/var/patterndb.xml -P su -M "+ pts/2 root:nateh" MESSAGE=+ pts/2 root:nateh PROGRAM=su .classifier.class=system .classifier.rule_id=04ba999a-75fe-11dd-9bba-001e6806451b However, when I use my custom XML file with a message that should match, it doesn't work: # ./pdbtool match -p /opt/syslog-ng/var/capcdb2.xml -P "MSWinEventLog" -M "This is the message" MESSAGE=This is the message PROGRAM=MSWinEventLog .classifier.class=unknown Here is the relevant part in the XML: <ruleset name='win' id='2'> <pattern>MSWinEventLog</pattern> <rules> <rule provider='capc' id='2' class='system'> <description>Detects Windows logs from Snare</description> <patterns> <pattern></pattern> </patterns> </rule> </rules> </ruleset> I'm assuming that leaving the <pattern> part blank should cause it to match on anything with "MSWinEventLog", right? Thanks! -Nate On Mon, Jan 11, 2010 at 10:33 AM, SZALAY Attila <sasa@balabit.hu> wrote:
Hi!
On Mon, 2010-01-11 at 09:55 -0500, Nate Hausrath wrote:
Right now, the ASA logs are being placed in the other.log file, and no other logs are being placed anywhere (even though I have verified they are being received). Just to reiterate, I'm trying to place the Windows logs in a windows.log file, ASA logs in an asa.log file, and everything else in the other.log file.
You can try to match a log message with the given pattern ruleset with the pdbtool command.
First try to dump the patterndb with the dump command pdbtool dump -p /opt/ssb/var/db/patterndb.xml -T
Then check the programs:
pdbtool dump -p /opt/ssb/var/db/patterndb.xml -P zcv
After that (if everything is good) try to match a log message:
pdbtool match -p /opt/ssb/var/db/patterndb.xml -P zcv -M "Iam the message part."
Do not forget to set the program with the -P option.
Is the pdbtool found the correct rule?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html