Cool, thanks for the pattern. So what tags would we use for this? I'm thinking you could tag with net, ssh, login, success. Also, what would be the conventional format for the class, rule, and field names? I think "useracct" had been the prefix before. On Thu, Sep 2, 2010 at 10:44 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Thu, 2010-09-02 at 13:12 +0000, otgovorete@gmail.com wrote:
Hi guys,
I have done parser for the authentication logs of HPUX. Here is the situation:
A)Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2 B)Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
The parser i've made parses successfully A but not B. The problem is extra whitespace when the date is one digit. I am testing parsing with pdbtool of syslog-ng.
The outcome of parsing of A is: PROGRAM=ssh .classifier.class=legitimate .classifier.rule_id=ssh-succeed SucceedLogin_MONTH=Sep SucceedLogin_DATE=22 SucceedLogin_TIME=13:14:24 SucceedLogin_SERVER=serverone SucceedLogin_SERVICE.ID=sshd[12934]: SucceedLogin_USER_NAME=username SucceedLogin_DESTINATION=x.x.x.x SucceedLogin_SOURCE.PORT=1691
The outcome of parsing if B is: Matching part: Sep 2 13:14:24 serverone Values: MESSAGE=Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2 PROGRAM=ssh .classifier.class=unknown
Here is the parser from xml file:
<patterns> <pattern>@ESTRING:SucceedLogin_MONTH: @@ESTRING:SucceedLogin_DATE: @@ESTRING:SucceedLogin_TIME: @@ESTRING:SucceedLogin_SERVER: @@ESTRING:SucceedLogin_SERVICE.ID: @Accepted keyboard-interactive/pam for @ESTRING:SucceedLogin_USER_NAME: @from @ESTRING:SucceedLogin_DESTINATION: @port @ESTRING:SucceedLogin_SOURCE.PORT: @ssh2</pattern> </patterns>
and here is the command pdbtool:
/opt/syslog-ng/bin/pdbtool match -D -c -p login.parser.new.xml -P "ssh" -M "Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2"
Please, advice me how to proceed. Thank you.
With -M you need to use pass only the $MSG portion of the syslog message. Alternatively you can use pdbtool match -f <filename> which will read and _parse_ syslog messages from the given file and only pass the payload for parsing.
So, in your rule, you don't need the day/month macros.
And if you really wanted to parse the date, you could perhaps use the @NUMBER@ parser.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html