That sounds like a pretty cool setup. Wish I had the time but my "we" is a mirror.  

Guess your doing the routing with filter definitions then? 

On Sep 12, 2016, at 4:19 PM, Evan Rempel <erempel@uvic.ca> wrote:

It is not so much the patterndb, but the name value pairs that you place into the json object. We use a template of

template( $(format-json --scope rfc5424,nv-pairs \
                        --exclude DATE \
                        --exclude 0 \
                        --exclude 1 \
                        --exclude 2 \
                        --exclude LEGACY_MSGHDR \
                        --exclude AUTHPROGRAM \
                        --exclude SOURCE \
                        --exclude HOST_FROM \
                        --exclude synopsis \
                        --exclude allofit \
                        --exclude therest \
                        --exclude R_* \
                        --exclude S_* \
                        --key ISODATE )\n")

Some of the exclusions are due to values that our patterndb populates. All of the names that are specific to our database patterns are:
DATE, 0, 1, 2, AUTHPROGRAM, synopsis, allofit, therest


We did write all of our own database patterns. We wrote our own web front end to a database and auto-generate the syslog-ng pattern database. Just a little over 5,000 patterns and growing.

We took a different approach. Rather than rewriting the syslog-ng config, filtering and logging details, we classify messages with a tag from the patterndb. A static syslog-ng configuration that matches on the tags from the patterndb and filters and logs based on the pattern tags.

We route messages to different analysis engines based on the message classification. Soome backends are:

- create an alert/ticket
- rate threshold trigger of and event
- collect multiple lines together and alert a digest of the log lines
- execute an external program
- start/continue timer - heartbeat events

There are lots of others that are on our roadmap.

I hope this description gets you started.

Evan.


On 09/12/2016 12:29 PM, Scot Needy wrote:
Thanks again Evan, So it should work as expected. 

Could you share how you defined the patterndb in the conf or comment on mine and did you need to write all your own pattern file or were you able to leverage the community ? 

I have a REST api to an ipam server and from there I generate a filter,destination and log for each subnet which is used for log files but my ES destination and log destination is very basic.  


# SYSLOG-NG.CONF
@version:3.8
@include "scl.conf"
@module mod-java

parser pattern_db {
  db-parser(
    file("/var/lib/syslog-ng/patterndb.xml")
  );
};
source s_netsyslog {
        udp();
        tcp();
};
destination d_es {
        elasticsearch2(
                index("syslog-ng_${YEAR}.${MONTH}.${DAY}")
                type("syslog-ng") # Description: The type of the index. For example, type("test")
                port("9300")
                server("127.0.0.1")
                client-mode("transport")
                skip-cluster-health-check("yes")
                cluster("meo")
                resource("/etc/elasticsearch/elasticsearch.yml")
                client_lib_dir("/usr/share/elasticsearch/lib")
        );
};
log {
        source(s_netsyslog);
        parser(pattern_db);
        destination(d_es);
 };
 
On Sep 12, 2016, at 2:25 PM, Evan Rempel <erempel@uvic.ca> wrote:

Using the patterndb to associate metadata with each syslog message is great, however, you have to ensure that those additional fields are output into the json object that you send to elasticsearch.

We do exactly what you are trying to do, so that our elasticsearch document contains all of the fields parsed by our patterndb.

as an example we have a log line of

September 12th 2016, 11:17:25.836    chiru.comp.uvic.ca    mail.info    in.imapproxyd: LOGOUT: '"vgmodi"' from server sd [200]

and an elasticsearch document shown below. The cfgmgr* fields come from our asset management system. The PATTERNID comes from our pattern database entry and the user and sd fields come from the patterndb data parsers.

You don't need to have a pattern for every log line at the start. The second example below is a syslog line that does NOT match any pattern in our database.

{
  "_index": "flare-2016.09.12.11",
  "_type": "flare",
  "_id": "AVcfnhBMpdjtwzWgS7rU",
  "_score": 1,
  "_source": {
    "user": "vgmodi",
    "sd": "200",
    "flare": {
      "profile": "DCS"
    },
    "cfgmgrrole": "ADMIN",
    "cfgmgrosFull": "Redhat 5_64",
    "cfgmgros": "unix",
    "cfgmgrmodel": "ESX 5",
    "cfgmgrlocation": "ESX-BCP",
    "cfgmgrenvironment": "BCP PROD",
    "cfgmgrassetType": "Virtual Server",
    "SOURCEHOST": "chiru.comp.uvic.ca",
    "SHORTHOST": "chiru",
    "PROGRAM": "in.imapproxyd",
    "PRIORITY": "info",
    "PID": "5129",
    "PATTERNID": "864",
    "MESSAGE": "LOGOUT: '\"vgmodi\"' from server sd [200]",
    "ISODATE": "2016-09-12T11:17:25.836-07:00",
    "HOST": "chiru.comp.uvic.ca",
    "FACILITY": "mail"
  },
  "fields": {
    "ISODATE": [
      1473704234822
    ]
  }
}

Non-matching log line.

{
  "_index": "flare-2016.09.12.11",
  "_type": "flare",
  "_id": "AVcfpLpIpdjtwzWgXfVD",
  "_score": 1,
  "_source": {
    "flare": {
      "profile": "DCS"
    },
    "cfgmgrrole": "ADMIN",
    "cfgmgrosFull": "Redhat 6_64",
    "cfgmgros": "unix",
    "cfgmgrmodel": "ESX 5",
    "cfgmgrlocation": "ESX-PROD",
    "cfgmgrenvironment": "Prod",
    "cfgmgrassetType": "Virtual Server",
    "SOURCEHOST": "tyrant.comp.uvic.ca",
    "SHORTHOST": "tyrant",
    "PROGRAM": "cas",
    "PRIORITY": "info",
    "MESSAGE": "prod: [ajp-apr-8009-exec-37]: Mon Sep 12 11:24:31 PDT 2016,CAS,SERVICE_TICKET_NOT_CREATED,https://www.uvic.ca/netlink/j_spring_cas_security_check,audit:unknown,206.87.181.44,www.uvic.ca",
    "ISODATE": "2016-09-12T11:24:31.000-07:00",
    "HOST": "tyrant.comp.uvic.ca",
    "FACILITY": "daemon"
  },
  "fields": {
    "ISODATE": [
      1473704671000
    ]
  }
}


On 09/12/2016 11:08 AM, Scot Needy wrote:
Hello List, 

  
I’m trying to understand the use case of pattern_db when the destination will be ES. My initial understanding was that I could use patterndb as an engine to tag my log message data with attributes, but it doesn’t seem to work that way. I have a json output like this in Kibana. 

In a loghost deployment, It looks like I would need to manually align a patterndb filter with each host_message type even before patterned comes into play.  

Q) What is the right solution for enriching message data into ES ? 

Example JSON from Kibana MESSAGE is not parsed.  
=======================
{
  "_index": "syslog-ng_2016.09.12",
  "_type": "syslog-ng",
  "_id": "AVcdnzJla9VjMdxDYo8Z",
  "_score": null,
  "_source": {
    "PROGRAM": “###-asa11",
    "PRIORITY": "warning",
    "MESSAGE": "%ASA-4-106023: Deny tcp src outside:###.###.31.2/33553 dst public:###.###.7.191/443 by access-group \"outside_access_in\" [0x2c1c6a65, 0x0]",
    "ISODATE": "2016-09-12T13:57:03-04:00",
    "HOST": “###.###.###.###",
    "FACILITY": "local5",
    "@timestamp": "2016-09-12T13:57:03-04:00"
  },
  "fields": {
    "ISODATE": [
      1473703023000
    ],
    "@timestamp": [
      1473703023000
    ]
  },
  "sort": [
    1473703023000
  ]
}

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq