Hi again, On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:
How can I chop that content and pass it to the db-parser??
There's multiple ways I can think of: using rewrite rules or a dedicated parser. The way I do it in production for a similar use case, is using a csv-parser. If your syslog-ng version allows it, I'd highly recommend putting the parser inside your source definition. That way you'll be able to remove the parser once you don't need it anymore (after fixing the Solaris config). Here's an untested snippet for you that should help you progress: source s_solaris { channel { source { network( transport(udp) port(514) flags(syslog-protocol) ); }; parser (p_drop_msgid); }; }; parser p_drop_msgid { csv_parser( columns( "dropme" "MESSAGE" ) delimiters(" ") flags(greedy) quote-pairs('[]') ); }; The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your patterndb parser.
Also how to handle different values like if authentication method can be password, public key, none, keyboard interactive. How do I put the values in the pattern-db rule.do I keep adding them in example tag of the rule..
That's already being handled in one of the pdb files on github [1]. [1] https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb Cheers