Re: [syslog-ng] Create Pattern-DB rules

2 Oct 2014

      Fabien

This is the configuration I put and tried to print the classifier.class and
classifier.if from db_parser and got the value as unknow in the log message.

================================================================
log { source (remote); filter (f_auth); parser(p_drop_msgid);
parser(p_tmsgid);  parser(pattern_db);  destination (r_auth); };

#Source
source remote {
                       internal();
                       udp(ip(0.0.0.0) port(514));
                       };

#filter
filter f_auth   { facility (auth,user);   };

#parser01
parser p_drop_msgid {
     csv_parser(
       columns(
         "dropme",
         "EMSG"
       )
       delimiters("]")
     );
 };

#parser02
parser p_tmsgid {
     csv_parser(
       columns(
         "EMSG01"
       )
       delimiters("")
     template("${EMSG}"));
 };

#parser03
parser pattern_db {
            db_parser(
                file("/test/syslogs/script/parser/patterndb.xml")
            );
            };

#template 01
template t_msg_dbparser {template("${.classifier.class}|${.classifier.id}\n");
};

destination r_auth  {
file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
owner(root) group(test) perm(0640)
#template ("<#|${EMSG01}|#>\n")
template (t_msg_dbparser)
);
 };

<?xml version='1.0' encoding='UTF-8'?>
        <patterndb version='3' pub_date='2010-07-13'>
        <ruleset name='sshd' id='12345678'>
        <description>
        This ruleset covers the OpenSSH server.
        </description>
        <url>www.openssh.com</url>
        <pattern>sshd</pattern>
        <rules>
 <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8"
class="system">
        <patterns>
          <pattern>Failed @STRING:usracct.authmethod@ for
@STRING:usracct.username@ from @IPv4:temp.src_ip@ port
@NUMBER:temp.src_port@ @STRING:usracct.service@</pattern>
        </patterns>
        <examples>
          <example>Failed password for kaladhar from 127.0.1.1 port 44637
ssh2</example>
        </examples>
        <values>
          <value name="usracct.type">login</value>
          <value name="usracct.sessionid">$PID</value>
          <value name="usracct.application">$PROGRAM</value>
          <value
name="usracct.device">${temp.src_ip}:${temp.src_port}</value>
          <value name="secevt.verdict">REJECT</value>
        </values>
        <tags>
          <tag>usracct</tag>
          <tag>secevt</tag>
        </tags>
</rule>
        </rules>
        </ruleset>
        </patterndb>

For this the log message is :
===========================================================

* cat messagesAuth.2014.10.02.16unknown|unknown|*
===========================================================

Thanks & Regards
Justin Kala

On Thu, Oct 2, 2014 at 10:38 AM, Justin Kala <justinkala@gmail.com> wrote:
...
Hi
This is how I configured and the Final Log Message
parser p_drop_msgid {
     csv_parser(
       columns(
         "dropme",
         "EMSG"
       )
       delimiters("]")
     );
 };
parser pattern_db {
            db_parser(
                file("/test/syslogs/script/parser/patterndb.xml")
            );
            };
destination r_auth  {
file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
owner(root) group(salars) perm(0640)
template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n")
);
 };
log { source (remote); filter (f_auth); parser(p_drop_msgid);
parser(pattern_db);  destination (r_auth); };
Final Log message:
<#|2014 Oct  1 16:07:54|||||[ID 800047 auth.notice] Failed none for
abc1234 from 100.200.300.10 port 59301 ssh2||#>
Thanks & Regards
On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
...
Hi,
On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
...
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with
SOLARIS
OS..
 is not using patterndb.xml db_parser i configured in syslog-ng.conf. I
chopped off the message id content and the actual message  is sent to
pattern-db parser but all the macro values that are referred from here
are
not getting populated in the final log
Can you elaborate on the nature of "the final log"?
If you're simply using a file destination with default template, you won't
see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and
$MSG are shown. You need to explicitly do that in the template format.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
--
Kaladhar
-- 
Kaladhar