Fabien
 
 
This is the configuration I put and tried to print the classifier.class and classifier.if from db_parser and got the value as unknow in the log message.
 
================================================================
log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(p_tmsgid);  parser(pattern_db);  destination (r_auth); };

#Source
source remote {
                       internal();
                       udp(ip(0.0.0.0) port(514));
                       };

#filter
filter f_auth   { facility (auth,user);   };

#parser01
parser p_drop_msgid {
     csv_parser(
       columns(
         "dropme",
         "EMSG"
       )
       delimiters("]")
     );
 };

#parser02
parser p_tmsgid {
     csv_parser(
       columns(
         "EMSG01"
       )
       delimiters("")
     template("${EMSG}"));
 };

#parser03
parser pattern_db {
            db_parser(
                file("/test/syslogs/script/parser/patterndb.xml")
            );
            };

#template 01
template t_msg_dbparser {template("${.classifier.class}|${.classifier.id}\n"); };


destination r_auth  {
file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
owner(root) group(test) perm(0640)
#template ("<#|${EMSG01}|#>\n")
template (t_msg_dbparser)
);
 };

 

<?xml version='1.0' encoding='UTF-8'?>
        <patterndb version='3' pub_date='2010-07-13'>
        <ruleset name='sshd' id='12345678'>
        <description>
        This ruleset covers the OpenSSH server.
        </description>
        <url>www.openssh.com</url>
        <pattern>sshd</pattern>
        <rules>

 <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8" class="system">
        <patterns>
          <pattern>Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@</pattern>
        </patterns>
        <examples>
          <example>Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</example>
        </examples>
        <values>
          <value name="usracct.type">login</value>
          <value name="usracct.sessionid">$PID</value>
          <value name="usracct.application">$PROGRAM</value>
          <value name="usracct.device">${temp.src_ip}:${temp.src_port}</value>
          <value name="secevt.verdict">REJECT</value>
        </values>
        <tags>
          <tag>usracct</tag>
          <tag>secevt</tag>
        </tags>
</rule>
        </rules>
        </ruleset>
        </patterndb>
 
 
For this the log message is :
===========================================================
 cat messagesAuth.2014.10.02.16
unknown|
unknown|
===========================================================
 
 
Thanks & Regards
Justin Kala

On Thu, Oct 2, 2014 at 10:38 AM, Justin Kala <justinkala@gmail.com> wrote:
Hi
 
This is how I configured and the Final Log Message
parser p_drop_msgid {
     csv_parser(
       columns(
         "dropme",
         "EMSG"
       )
       delimiters("]")
     );
 };

parser pattern_db {
            db_parser(
                file("/test/syslogs/script/parser/patterndb.xml")
            );
            };


destination r_auth  {
file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
owner(root) group(salars) perm(0640)
template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n")
);
 };


log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(pattern_db);  destination (r_auth); };

Final Log message:

<#|2014 Oct  1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234 from 100.200.300.10 port 59301 ssh2||#>
 
Thanks & Regards

On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,

On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
> my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS
> OS..
>  is not using patterndb.xml db_parser i configured in syslog-ng.conf. I
> chopped off the message id content and the actual message  is sent to
> pattern-db parser but all the macro values that are referred from here are
> not getting populated in the final log

Can you elaborate on the nature of "the final log"?
If you're simply using a file destination with default template, you won't
see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and
$MSG are shown. You need to explicitly do that in the template format.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq




--
Kaladhar



--
Kaladhar