Hi Michael! First, when using pdbtool for testing, you should specify -P "ssh" on command line, because your rule will only match if the program name is "ssh". Second, be careful with spaces and line breaks! Patterndb patterns are very sensitive to white spaces and line breaks, if the log is a single line one, then your pattern shouldn't have any line break. In your case, the problem is with spaces. In patterndb, there is no need to escape spaces, because they are taken literally: one space in the pattern means one space matching in the log. So you should delete the space after the "Accepted" word, and you should delete an other space and the backslash after "from". With these modifications, I managed to match the line. So here is my pattern: <?xml version='1.0' encoding='UTF-8'?> <patterndb version='4' pub_date='2010-10-17'> <ruleset name='ssh' id='123456678'> <pattern>ssh</pattern> <rules> <rule provider='me' id='182437592347598' class='system'> <patterns> <pattern>Accepted@QSTRING:SSH.AUTH_METHOD: @for@QSTRING:SSH_USERNAME: @from@QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern> </patterns> </rule> </rules> </ruleset> </patterndb> And the pdbtool line: bin/pdbtool match -p /tmp/test.xml -P "ssh" -M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2" Hope I could help you. Best Regards, Viktor On Tue, Jul 1, 2014 at 11:49 PM, Michael Starks < syslog-ng-list@michaelstarks.com> wrote:

x-posted from ELSA mailing list; no replies there so please excuse the noise.

I am trying to add an additional ASA log message that is unclassified in ELSA. To make a long story short, *nothing" seems to be matching with pdbtool. Here is the line I am trying to work with:

Jun 23 00:00:05 192.168.1.4 %ASA-3-106100: access-list INOUT denied tcp inside/1.2.3.4(64576) -> outside/5.6.7.8(80) hit-cnt 1 first hit [0x59bca63e, 0x620e5b55]

Putting that aside for the moment since I can't get it to work, I went straight to the syslog-ng docs ( https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guid... ) and used the example. I created /etc/elsa/patterns.d/test.xml with this content:

<patterndb version='4' pub_date='2010-10-17'> <ruleset name='ssh' id='123456678'> <pattern>ssh</pattern> <rules> <rule provider='me' id='182437592347598' class='system'> <patterns> <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @ for@QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern> </patterns> </rule> </rules> </ruleset> </patterndb>

I then tested with this line:

/usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml -M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"

The result is this:

MESSAGE=Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2 .classifier.class=unknown

Details are:

[root@hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V syslog-ng 3.2.4 Installer-Version: 3.2.4 Revision: ssh+git://bazsi@git.balabit //var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6 Compile-Date: May 23 2012 09:58:14 Enable-Threads: off Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: off Enable-Linux-Caps: on Enable-Pcre: on Enable-Pacct: off

[root@hostname elsa]# cat /etc/redhat-release Oracle Linux Server release 6.5

Thank you in advance.

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq