Hi Michael!

First, when using pdbtool for testing, you should specify -P "ssh" on command line, because your rule will only match if the program name is "ssh". Second, be careful with spaces and line breaks!
Patterndb patterns are very sensitive to white spaces and line breaks, if the log is a single line one, then your pattern shouldn't have any line break. In your case, the problem is with spaces.
In patterndb, there is no need to escape spaces, because they are taken literally: one space in the pattern means one space matching in the log. So you should delete the space after the "Accepted" word, and you should
delete an other space and the backslash after "from". With these modifications, I managed to match the line. So here is my pattern:

<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='ssh' id='123456678'>
   <pattern>ssh</pattern>
     <rules>
        <rule provider='me' id='182437592347598' class='system'>
           <patterns>
              <pattern>Accepted@QSTRING:SSH.AUTH_METHOD: @for@QSTRING:SSH_USERNAME: @from@QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
           </patterns>
         </rule>
     </rules>
   </ruleset>
</patterndb>

And the pdbtool line:

bin/pdbtool match -p /tmp/test.xml -P "ssh" -M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"

Hope I could help you.

Best Regards,
Viktor


On Tue, Jul 1, 2014 at 11:49 PM, Michael Starks <syslog-ng-list@michaelstarks.com> wrote:
x-posted from ELSA mailing list; no replies there so please excuse the
noise.

I am trying to add an additional ASA log message that is unclassified in
ELSA. To make a long story short, *nothing" seems to be matching with
pdbtool. Here is the line I am trying to work with:

Jun 23 00:00:05 192.168.1.4 %ASA-3-106100: access-list INOUT denied tcp
inside/1.2.3.4(64576) -> outside/5.6.7.8(80) hit-cnt 1 first hit
[0x59bca63e, 0x620e5b55]

Putting that aside for the moment since I can't get it to work, I went
straight to the syslog-ng docs
(https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb)
and used the example. I created /etc/elsa/patterns.d/test.xml with this
content:

<patterndb version='4' pub_date='2010-10-17'>
     <ruleset name='ssh' id='123456678'>
         <pattern>ssh</pattern>
             <rules>
                 <rule provider='me' id='182437592347598' class='system'>
                     <patterns>
                         <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @
for@QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port
@NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
                     </patterns>
                 </rule>
             </rules>
     </ruleset>
</patterndb>

I then tested with this line:

/usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml
-M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"

The result is this:

MESSAGE=Accepted password for sampleuser from 10.50.0.247 port 42156
ssh2
.classifier.class=unknown

Details are:

[root@hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision:
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: May 23 2012 09:58:14
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off

[root@hostname elsa]# cat /etc/redhat-release
Oracle Linux Server release 6.5

Thank you in advance.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq