On Thu, 2010-09-02 at 13:12 +0000, otgovorete@gmail.com wrote:
Hi guys,
I have done parser for the authentication logs of HPUX. Here is the situation:
A)Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2 B)Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
The parser i've made parses successfully A but not B. The problem is extra whitespace when the date is one digit. I am testing parsing with pdbtool of syslog-ng.
The outcome of parsing of A is: PROGRAM=ssh .classifier.class=legitimate .classifier.rule_id=ssh-succeed SucceedLogin_MONTH=Sep SucceedLogin_DATE=22 SucceedLogin_TIME=13:14:24 SucceedLogin_SERVER=serverone SucceedLogin_SERVICE.ID=sshd[12934]: SucceedLogin_USER_NAME=username SucceedLogin_DESTINATION=x.x.x.x SucceedLogin_SOURCE.PORT=1691
The outcome of parsing if B is: Matching part: Sep 2 13:14:24 serverone Values: MESSAGE=Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2 PROGRAM=ssh .classifier.class=unknown
Here is the parser from xml file:
<patterns> <pattern>@ESTRING:SucceedLogin_MONTH: @@ESTRING:SucceedLogin_DATE: @@ESTRING:SucceedLogin_TIME: @@ESTRING:SucceedLogin_SERVER: @@ESTRING:SucceedLogin_SERVICE.ID: @Accepted keyboard-interactive/pam for @ESTRING:SucceedLogin_USER_NAME: @from @ESTRING:SucceedLogin_DESTINATION: @port @ESTRING:SucceedLogin_SOURCE.PORT: @ssh2</pattern> </patterns>
and here is the command pdbtool:
/opt/syslog-ng/bin/pdbtool match -D -c -p login.parser.new.xml -P "ssh" -M "Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2"
Please, advice me how to proceed. Thank you.
With -M you need to use pass only the $MSG portion of the syslog message. Alternatively you can use pdbtool match -f <filename> which will read and _parse_ syslog messages from the given file and only pass the payload for parsing. So, in your rule, you don't need the day/month macros. And if you really wanted to parse the date, you could perhaps use the @NUMBER@ parser. -- Bazsi