On Fri, 2010-09-03 at 10:56 -0700, Matthew Hall wrote:
On Fri, Sep 03, 2010 at 03:07:03PM +0000, otgovorete@gmail.com wrote:
kosta@Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p /opt/syslog-ng/var/login.parser.new.xml -P "ssh" -M "Sep 13 17:34:00 server1 sshd[20981]: Failed keyboard-interactive/pam for invalid user dfgdf from xxxx port 3602 ssh2"
<rule provider='balabit' id='ssh-failed' class='violation'> <patterns> <pattern>@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE: @@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER: @@ESTRING:FailedL$ </patterns> </rule>
I had this problem before as well. It's important to know that certain headers are stripped off the message before they are parsed.
"Sep 13 17:34:00 server1 " should get stripped off before the match.
There's a thread from a while ago I started when I had this issue:
And before going any further, you could also use the patterndb patterns which already covers this and is already tested. http://git.balabit.hu/bazsi/syslog-ng-patterndb.git -- Bazsi