Hello I am trying to create Pattern-DB for the following Authorization messages coming from O/S. Can you help on creating a matching rule . Note: I do not have PATTERN-DB parser utility.I am going to create the db-parser.xml manually and put this rules inside the file. 2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047 auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047 auth.notice] Failed publickey for root from 100.200.255.02 port 59219 ssh2 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047 auth.notice] Failed keyboard-interactive for root from 100.200.255.03 port 65410 ssh2 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials Thanks & Regards Kaladhar
Hi Justin, On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:
2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047 auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047 auth.notice] Failed publickey for root from 100.200.255.02 port 59219 ssh2 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047 auth.notice] Failed keyboard-interactive for root from 100.200.255.03 port 65410 ssh2 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
As it happens, these rules are already out there on github, you can just grab them [1]. That being said, you'll have a slight problem as you seem to be logging from Solaris machines, which unfortunately pollute the message with a msgid. You can either change the patterndb rules, or disable that IMHO useless feature by modifying /kernel/drv/log.conf and optionally using 'echo log_msgid/W0 | adb -kw' [2]. Hope this helps [1] https://github.com/balabit/syslog-ng-patterndb [2] http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html
Thanks Fabien That was very helpful.I cannot change the format as of now. Can you provide me the pattern db for the messages sent like what to add in front of the message example: what to put in place of timezone ,hostname, program etc. especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047
auth.notice] " rest of the message is written in the example you provided
Regards Kaladhar On Tue, Sep 30, 2014 at 10:47 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Justin,
On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:
2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047 auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047 auth.notice] Failed publickey for root from 100.200.255.02 port 59219 ssh2 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047 auth.notice] Failed keyboard-interactive for root from 100.200.255.03 port 65410 ssh2 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
As it happens, these rules are already out there on github, you can just grab them [1]. That being said, you'll have a slight problem as you seem to be logging from Solaris machines, which unfortunately pollute the message with a msgid. You can either change the patterndb rules, or disable that IMHO useless feature by modifying /kernel/drv/log.conf and optionally using 'echo log_msgid/W0 | adb -kw' [2].
Hope this helps
[1] https://github.com/balabit/syslog-ng-patterndb [2] http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
Hi again, On Tue, Sep 30, 2014 at 03:04:32PM -0400, Justin Kala wrote:
example: what to put in place of timezone ,hostname, program etc. especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047
auth.notice] " rest of the message is written in the example you provided
First things first, you shouldn't need to worry about date, host and program: they are automatically being parsed by syslog-ng and cast respectively into the macros $DATE, $HOST, and $PROGRAM. The latter is being used by patterndb to separate rulesets. So in your example, $PROGRAM=sshd, $MSG=[ID 800047 auth.notice] ... Secondly, if I were you, I wouldn't touch the patterndb: I'd rather rewrite all messages to drop the annoying prefix, and only then pass the result to the dbparser. If you don't know how to do that, I can be of further assistance :-) cheers
True.. How can I chop that content and pass it to the db-parser?? Also how to handle different values like if authentication method can be password, public key, none, keyboard interactive. How do I put the values in the pattern-db rule.do I keep adding them in example tag of the rule.. Thankyou very much for the quick response. I m a trying to get onboard :) On Sep 30, 2014 3:34 PM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi again,
On Tue, Sep 30, 2014 at 03:04:32PM -0400, Justin Kala wrote:
example: what to put in place of timezone ,hostname, program etc. especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047
auth.notice] " rest of the message is written in the example you provided
First things first, you shouldn't need to worry about date, host and program: they are automatically being parsed by syslog-ng and cast respectively into the macros $DATE, $HOST, and $PROGRAM. The latter is being used by patterndb to separate rulesets. So in your example, $PROGRAM=sshd, $MSG=[ID 800047 auth.notice] ...
Secondly, if I were you, I wouldn't touch the patterndb: I'd rather rewrite all messages to drop the annoying prefix, and only then pass the result to the dbparser.
If you don't know how to do that, I can be of further assistance :-)
cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi again, On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:
How can I chop that content and pass it to the db-parser??
There's multiple ways I can think of: using rewrite rules or a dedicated parser. The way I do it in production for a similar use case, is using a csv-parser. If your syslog-ng version allows it, I'd highly recommend putting the parser inside your source definition. That way you'll be able to remove the parser once you don't need it anymore (after fixing the Solaris config). Here's an untested snippet for you that should help you progress: source s_solaris { channel { source { network( transport(udp) port(514) flags(syslog-protocol) ); }; parser (p_drop_msgid); }; }; parser p_drop_msgid { csv_parser( columns( "dropme" "MESSAGE" ) delimiters(" ") flags(greedy) quote-pairs('[]') ); }; The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your patterndb parser.
Also how to handle different values like if authentication method can be password, public key, none, keyboard interactive. How do I put the values in the pattern-db rule.do I keep adding them in example tag of the rule..
That's already being handled in one of the pdb files on github [1]. [1] https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb Cheers
Hi Fabien I was able to do like you mentioned. I have another problem now. my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS.. is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8" class="system"> <patterns> <pattern>Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@</pattern> </patterns> <examples> <example>Failed password for bazsi from 127.0.1.1 port 44637 ssh2</example> </examples> <values> <value name="usracct.type">login</value> <value name="usracct.sessionid">$PID</value> <value name="usracct.application">$PROGRAM</value> <value name="usracct.device">${temp.src_ip}:${temp.src_port}</value> <value name="secevt.verdict">REJECT</value> </values> <tags> <tag>usracct</tag> <tag>secevt</tag> </tags> </rule> Can you help on this?? Highly appreciate the support and response you been giving On Wed, Oct 1, 2014 at 7:59 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi again,
On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:
How can I chop that content and pass it to the db-parser??
There's multiple ways I can think of: using rewrite rules or a dedicated parser. The way I do it in production for a similar use case, is using a csv-parser. If your syslog-ng version allows it, I'd highly recommend putting the parser inside your source definition. That way you'll be able to remove the parser once you don't need it anymore (after fixing the Solaris config). Here's an untested snippet for you that should help you progress:
source s_solaris { channel { source { network( transport(udp) port(514) flags(syslog-protocol) ); }; parser (p_drop_msgid); }; };
parser p_drop_msgid { csv_parser( columns( "dropme" "MESSAGE" ) delimiters(" ") flags(greedy) quote-pairs('[]') ); };
The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your patterndb parser.
Also how to handle different values like if authentication method can be password, public key, none, keyboard interactive. How do I put the values in the pattern-db rule.do I keep adding them in example tag of the rule..
That's already being handled in one of the pdb files on github [1].
[1] https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb
Cheers
-- Kaladhar
Hi, On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS.. is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log
Can you elaborate on the nature of "the final log"? If you're simply using a file destination with default template, you won't see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and $MSG are shown. You need to explicitly do that in the template format.
Hi This is how I configured and the Final Log Message parser p_drop_msgid { csv_parser( columns( "dropme", "EMSG" ) delimiters("]") ); }; parser pattern_db { db_parser( file("/test/syslogs/script/parser/patterndb.xml") ); }; destination r_auth { file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR" owner(root) group(salars) perm(0640) template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n") ); }; log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(pattern_db); destination (r_auth); }; Final Log message: <#|2014 Oct 1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234 from 100.200.300.10 port 59301 ssh2||#> Thanks & Regards On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS.. is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log
Can you elaborate on the nature of "the final log"? If you're simply using a file destination with default template, you won't see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and $MSG are shown. You need to explicitly do that in the template format.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
Fabien This is the configuration I put and tried to print the classifier.class and classifier.if from db_parser and got the value as unknow in the log message. ================================================================ log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(p_tmsgid); parser(pattern_db); destination (r_auth); }; #Source source remote { internal(); udp(ip(0.0.0.0) port(514)); }; #filter filter f_auth { facility (auth,user); }; #parser01 parser p_drop_msgid { csv_parser( columns( "dropme", "EMSG" ) delimiters("]") ); }; #parser02 parser p_tmsgid { csv_parser( columns( "EMSG01" ) delimiters("") template("${EMSG}")); }; #parser03 parser pattern_db { db_parser( file("/test/syslogs/script/parser/patterndb.xml") ); }; #template 01 template t_msg_dbparser {template("${.classifier.class}|${.classifier.id}\n"); }; destination r_auth { file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR" owner(root) group(test) perm(0640) #template ("<#|${EMSG01}|#>\n") template (t_msg_dbparser) ); }; <?xml version='1.0' encoding='UTF-8'?> <patterndb version='3' pub_date='2010-07-13'> <ruleset name='sshd' id='12345678'> <description> This ruleset covers the OpenSSH server. </description> <url>www.openssh.com</url> <pattern>sshd</pattern> <rules> <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8" class="system"> <patterns> <pattern>Failed @STRING:usracct.authmethod@ for @STRING:usracct.username@ from @IPv4:temp.src_ip@ port @NUMBER:temp.src_port@ @STRING:usracct.service@</pattern> </patterns> <examples> <example>Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</example> </examples> <values> <value name="usracct.type">login</value> <value name="usracct.sessionid">$PID</value> <value name="usracct.application">$PROGRAM</value> <value name="usracct.device">${temp.src_ip}:${temp.src_port}</value> <value name="secevt.verdict">REJECT</value> </values> <tags> <tag>usracct</tag> <tag>secevt</tag> </tags> </rule> </rules> </ruleset> </patterndb> For this the log message is : =========================================================== * cat messagesAuth.2014.10.02.16unknown|unknown|* =========================================================== Thanks & Regards Justin Kala On Thu, Oct 2, 2014 at 10:38 AM, Justin Kala <justinkala@gmail.com> wrote:
Hi
This is how I configured and the Final Log Message parser p_drop_msgid { csv_parser( columns( "dropme", "EMSG" ) delimiters("]") ); };
parser pattern_db { db_parser( file("/test/syslogs/script/parser/patterndb.xml") ); };
destination r_auth { file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR" owner(root) group(salars) perm(0640)
template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n") ); };
log { source (remote); filter (f_auth); parser(p_drop_msgid); parser(pattern_db); destination (r_auth); };
Final Log message: <#|2014 Oct 1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234 from 100.200.300.10 port 59301 ssh2||#>
Thanks & Regards
On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi,
On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS OS.. is not using patterndb.xml db_parser i configured in syslog-ng.conf. I chopped off the message id content and the actual message is sent to pattern-db parser but all the macro values that are referred from here are not getting populated in the final log
Can you elaborate on the nature of "the final log"? If you're simply using a file destination with default template, you won't see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and $MSG are shown. You need to explicitly do that in the template format.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
-- Kaladhar
Hi Justin, First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`: <examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples> Now this probably doesn't explain why the parser doesn't match your messages. On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself. Cheers
You can always use pdbtool match to debug and match messages against a patterndb database. It even colorizes output how far a message matched. On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Justin,
First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`:
<examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself.
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Is 3.5.6 OSE still the latest stable version or anything higher ?? On Sun, Nov 2, 2014 at 2:26 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
You can always use pdbtool match to debug and match messages against a patterndb database.
It even colorizes output how far a message matched. On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Justin,
First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`:
<examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself.
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
You can see the latest syslog-ng releases on syslog-ng github pages at: github.com/balabit/syslog-ng The latest is 3.7.1 On Sep 24, 2015 4:28 AM, "Justin Kala" <justinkala@gmail.com> wrote:
Is 3.5.6 OSE still the latest stable version or anything higher ??
On Sun, Nov 2, 2014 at 2:26 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
You can always use pdbtool match to debug and match messages against a patterndb database.
It even colorizes output how far a message matched. On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Justin,
First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`:
<examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself.
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I dont see it as supporting Solaris 11. Does 3.7 OSE support only till Solaris 10 ?? On Wed, Sep 23, 2015 at 11:58 PM, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
You can see the latest syslog-ng releases on syslog-ng github pages at:
github.com/balabit/syslog-ng
The latest is 3.7.1 On Sep 24, 2015 4:28 AM, "Justin Kala" <justinkala@gmail.com> wrote:
Is 3.5.6 OSE still the latest stable version or anything higher ??
On Sun, Nov 2, 2014 at 2:26 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
You can always use pdbtool match to debug and match messages against a patterndb database.
It even colorizes output how far a message matched. On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Justin,
First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`:
<examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself.
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
Well, we didn't remove any support code. Solaris is not a primary platform, but we still strive to make it work there. I know that part of the value add that Balabit gives to its customers in Syslog-ng premium edition is binary packages for a lot of platforms. Solaris is a supported OS there, so it should work in OSE as well as we share most of the code. Compile it and let us know where and if it breaks. On Sep 24, 2015 4:32 PM, "Justin Kala" <justinkala@gmail.com> wrote:
I dont see it as supporting Solaris 11. Does 3.7 OSE support only till Solaris 10 ??
On Wed, Sep 23, 2015 at 11:58 PM, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
You can see the latest syslog-ng releases on syslog-ng github pages at:
github.com/balabit/syslog-ng
The latest is 3.7.1 On Sep 24, 2015 4:28 AM, "Justin Kala" <justinkala@gmail.com> wrote:
Is 3.5.6 OSE still the latest stable version or anything higher ??
On Sun, Nov 2, 2014 at 2:26 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
You can always use pdbtool match to debug and match messages against a patterndb database.
It even colorizes output how far a message matched. On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Justin,
First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`:
<examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself.
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Well, no. There is 3.6.4 and 3.7.1 as well On Sep 24, 2015 4:28 AM, "Justin Kala" <justinkala@gmail.com> wrote:
Is 3.5.6 OSE still the latest stable version or anything higher ??
On Sun, Nov 2, 2014 at 2:26 AM, Balazs Scheidler <bazsi77@gmail.com> wrote:
You can always use pdbtool match to debug and match messages against a patterndb database.
It even colorizes output how far a message matched. On Oct 3, 2014 10:35 AM, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Justin,
First things first, your patterndb file doesn't validate. You should always test and validate the files using `pdbtool test --validate <file.pdb>`. You have to put the text of your example in a `<test_message>` element, without forgetting the `program`:
<examples> <example> <test_message program="sshd">Failed password for kaladhar from 127.0.1.1 port 44637 ssh2</test_message> </example> </examples>
Now this probably doesn't explain why the parser doesn't match your messages.
On Thu, Oct 02, 2014 at 04:31:38PM -0400, Justin Kala wrote:
* cat messagesAuth.2014.10.02.16unknown|unknown|*
this means your message correctly made it to the pattern parser, but didn't match any rule. What I can suggest, is to run syslog-ng in the foreground, using `syslog-ng -Fvd` so you'll also get debugging information. Please post the relevant info from the output, if you don't figure it out by yourself.
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Kaladhar
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Balazs Scheidler
-
Fabien Wernli
-
Justin Kala
-
Scheidler, Balázs