Hi Fabien

I was able to do like you mentioned.

I have another problem now.
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS..
 is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message  is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log

 <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8" class="system">
        <patterns>
          <pattern>Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@</pattern>
        </patterns>
        <examples>
          <example>Failed password for bazsi from 127.0.1.1 port 44637 ssh2</example>
        </examples>
        <values>
          <value name="usracct.type">login</value>
          <value name="usracct.sessionid">$PID</value>
          <value name="usracct.application">$PROGRAM</value>
          <value name="usracct.device">${temp.src_ip}:${temp.src_port}</value>
          <value name="secevt.verdict">REJECT</value>
        </values>
        <tags>
          <tag>usracct</tag>
          <tag>secevt</tag>
        </tags>
      </rule>
 

Can you help on this??

Highly appreciate the support and response you been giving

On Wed, Oct 1, 2014 at 7:59 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi again,

On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:
> How can I chop that content and pass it to the db-parser??

There's multiple ways I can think of: using rewrite rules or a dedicated
parser. The way I do it in production for a similar use case, is using a
csv-parser. If your syslog-ng version allows it, I'd highly recommend
putting the parser inside your source definition. That way you'll be able to
remove the parser once you don't need it anymore (after fixing the Solaris
config). Here's an untested snippet for you that should help you progress:

  source s_solaris {
    channel {
      source {
        network(
          transport(udp)
          port(514)
          flags(syslog-protocol)
        );
      };
      parser (p_drop_msgid);
    };
  };

  parser p_drop_msgid {
    csv_parser(
      columns(
        "dropme"
        "MESSAGE"
      )
      delimiters(" ")
      flags(greedy)
      quote-pairs('[]')
    );
  };

The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into
macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your
patterndb parser.

> Also how to handle different values like if authentication method can be
> password, public key, none, keyboard interactive. How do I put the values
> in the pattern-db rule.do I keep adding them in example tag of the rule..

That's already being handled in one of the pdb files on github [1].

[1] https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb

Cheers




--
Kaladhar