Thanks but what exactly I have to write in my syslog-ng.conf? I wrote this: destination d_garante { file("/var/log/garante"); }; parser pattern_db { db_parser( file("/var/lib/syslog-ng/patterndb.xml")); }; log { source(s_local); source(s_network); parser(pattern_db); destination( d_garante); }; is this right? ----- Messaggio da mcholste@gmail.com --------- Data: Fri, 18 Nov 2011 09:15:33 -0600 Da: Martin Holste <mcholste@gmail.com> Rispondi-A: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Oggetto: Re: [syslog-ng] patterndb A: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
From http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/node/...:
<patterndb version='3' pub_date='2009-11-04'> <ruleset name="ssh"> <pattern>sshd</pattern> <rules> <rule class="11" id="11"> <patterns> <!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service --> <pattern>Accepted @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern> </patterns> </rule> <rule class="12" id="12"> <patterns> <!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service --> <pattern>Failed @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern> <pattern>Failed @ESTRING:s0: @for invalid user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern> <pattern>Failed @ESTRING:s0: @for illegal user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern> </patterns> </rule> <rule class="13" id="13"> <patterns> <!-- s0=usracct.username --> <pattern>pam_unix(sshd:session): session closed for user @ANYSTRING:s0:@</pattern> <pattern>session closed for user @ANYSTRING:s0:@</pattern> </patterns> </rule> </rules> </ruleset> </patterndb> On Fri, Nov 18, 2011 at 2:31 AM, Gianluca Tranelli <g.tranelli@inarcassa.it> wrote:
Good morning everybody, the time is very good here in Rome, but I don't want to talk abbout the weather but about patterndb that is driving me crazy. After reading all the administration guide v3.3, I found an example of using patterndb to log the duration of an ssh Linux and to log a new formatted message. I just copied the XML, ran update-patterndb but nothing happen. Do i miss something? Can someone post a complete working example on ssh? Patterndb is driving me crazy.
Thank you in advance.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
----- Fine messaggio da mcholste@gmail.com -----