On Fri, Sep 03, 2010 at 03:07:03PM +0000, otgovorete@gmail.com wrote:
kosta@Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p /opt/syslog-ng/var/login.parser.new.xml -P "ssh" -M "Sep 13 17:34:00 server1 sshd[20981]: Failed keyboard-interactive/pam for invalid user dfgdf from xxxx port 3602 ssh2"
<rule provider='balabit' id='ssh-failed' class='violation'> <patterns> <pattern>@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE: @@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER: @@ESTRING:FailedL$ </patterns> </rule>
I had this problem before as well. It's important to know that certain headers are stripped off the message before they are parsed. "Sep 13 17:34:00 server1 " should get stripped off before the match. There's a thread from a while ago I started when I had this issue: https://lists.balabit.hu/pipermail/syslog-ng/2010-August/014588.html