Hi guys,

I have done parser for the authentication logs of HPUX. Here is the situation:

A)Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
B)Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2

The parser i've made parses successfully A but not B. The problem is extra whitespace when the date is one digit. I am testing parsing with pdbtool of syslog-ng.

The outcome of parsing of A is:
PROGRAM=ssh
.classifier.class=legitimate
.classifier.rule_id=ssh-succeed
SucceedLogin_MONTH=Sep
SucceedLogin_DATE=22
SucceedLogin_TIME=13:14:24
SucceedLogin_SERVER=serverone
SucceedLogin_SERVICE.ID=sshd[12934]:
SucceedLogin_USER_NAME=username
SucceedLogin_DESTINATION=x.x.x.x
SucceedLogin_SOURCE.PORT=1691

The outcome of parsing if B is:
Matching part:
Sep 2 13:14:24 serverone
Values:
MESSAGE=Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
PROGRAM=ssh
.classifier.class=unknown

Here is the parser from xml file:

<patterns> <pattern>@ESTRING:SucceedLogin_MONTH: @@ESTRING:SucceedLogin_DATE: @@ESTRING:SucceedLogin_TIME: @@ESTRING:SucceedLogin_SERVER: @@ESTRING:SucceedLogin_SERVICE.ID: @Accepted keyboard-interactive/pam for @ESTRING:SucceedLogin_USER_NAME: @from @ESTRING:SucceedLogin_DESTINATION: @port @ESTRING:SucceedLogin_SOURCE.PORT: @ssh2</pattern> </patterns>

and here is the command pdbtool:

/opt/syslog-ng/bin/pdbtool match -D -c -p login.parser.new.xml -P "ssh" -M "Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2"

Please, advice me how to proceed. Thank you.

Kosta