Thanks Fabien That was very helpful.I cannot change the format as of now. Can you provide me the pattern db for the messages sent like what to add in front of the message example: what to put in place of timezone ,hostname, program etc. especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047
auth.notice] " rest of the message is written in the example you provided
Regards Kaladhar On Tue, Sep 30, 2014 at 10:47 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Justin,
On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:
2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047 auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047 auth.notice] Failed publickey for root from 100.200.255.02 port 59219 ssh2 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047 auth.notice] Failed keyboard-interactive for root from 100.200.255.03 port 65410 ssh2 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
As it happens, these rules are already out there on github, you can just grab them [1]. That being said, you'll have a slight problem as you seem to be logging from Solaris machines, which unfortunately pollute the message with a msgid. You can either change the patterndb rules, or disable that IMHO useless feature by modifying /kernel/drv/log.conf and optionally using 'echo log_msgid/W0 | adb -kw' [2].
Hope this helps
[1] https://github.com/balabit/syslog-ng-patterndb [2] http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar