Hi, I'm currently organizing my patterndb files into something easily maintainable, and I ran into the following problem, best explained using an example: sshd and pam_unix. Some of sshd specific patterns reside in a specific ruleset, e.g. <ruleset name='sshd' id='A'> <patterns> <pattern>sshd</pattern </patterns> <rules> <rule> ... </rule> </rules> </ruleset> Some of sshd's messages come from pam_unix, e.g. modules/pam_unix/support.c, and are shared among other daemons: <ruleset name='pam_unix' id='B'> <patterns> <pattern>crond</pattern> <pattern>imap</pattern> <pattern>login</pattern> <pattern>pam</pattern> <pattern>pure-ftpd</pattern> <pattern>proftpd</pattern> <pattern>sshd</pattern> <pattern>su</pattern> <pattern>sudo</pattern> ... <patterns> <rules> <rule> ... </rule> </rules> </ruleset> The problem is, when a sshd message is parsed, even if it doesn't match any rules in ruleset 'A', ruleset 'B' isn't even considered for matching. So how do I properly organize my pdb tree, without duplicating rules in multiple source files? Thanks in advance
On Tue, 2013-11-26 at 13:56 +0100, Fabien Wernli wrote:
Hi,
I'm currently organizing my patterndb files into something easily maintainable, and I ran into the following problem, best explained using an example: sshd and pam_unix.
Some of sshd specific patterns reside in a specific ruleset, e.g.
<ruleset name='sshd' id='A'> <patterns> <pattern>sshd</pattern </patterns> <rules> <rule> ... </rule> </rules> </ruleset>
Some of sshd's messages come from pam_unix, e.g. modules/pam_unix/support.c, and are shared among other daemons:
<ruleset name='pam_unix' id='B'> <patterns> <pattern>crond</pattern> <pattern>imap</pattern> <pattern>login</pattern> <pattern>pam</pattern> <pattern>pure-ftpd</pattern> <pattern>proftpd</pattern> <pattern>sshd</pattern> <pattern>su</pattern> <pattern>sudo</pattern> ... <patterns> <rules> <rule> ... </rule> </rules> </ruleset>
The problem is, when a sshd message is parsed, even if it doesn't match any rules in ruleset 'A', ruleset 'B' isn't even considered for matching.
So how do I properly organize my pdb tree, without duplicating rules in multiple source files?
hmm... patterns are merged, so which file the given pattern is read from is irrelevant. syslog-ng matches on the $PROGRAM value first (the pattern listed right below the ruleset tag) and then the $MESSAGE value. So it should just work (tm). If it doesn't then probably the merge algorithm is at fault. Could you pls create a simpler, artificial example that demonstrates the issue so that I can reproduce it locally? Thanks. -- Bazsi
Hi, On Wed, Nov 27, 2013 at 11:19:26AM +0100, Balazs Scheidler wrote:
So it should just work (tm). If it doesn't then probably the merge algorithm is at fault.
Could you pls create a simpler, artificial example that demonstrates the issue so that I can reproduce it locally?
After some lag, here's the minimal configuration I prepared: https://gist.github.com/faxm0dem/1e6dbe303e033a43acb5 The test message matches or doesn't depending on the order of patterns in the second ruleset. Either this ain't right, or I'm misunderstanding something Cheers
It might be helpful to review bug 211 - dbparser pattern order breaks validation https://bugzilla.balabit.com/show_bug.cgi?id=211 On 03/03/2014 12:52 PM, Fabien Wernli wrote:
Hi,
On Wed, Nov 27, 2013 at 11:19:26AM +0100, Balazs Scheidler wrote:
So it should just work (tm). If it doesn't then probably the merge algorithm is at fault.
Could you pls create a simpler, artificial example that demonstrates the issue so that I can reproduce it locally?
After some lag, here's the minimal configuration I prepared:
https://gist.github.com/faxm0dem/1e6dbe303e033a43acb5
The test message matches or doesn't depending on the order of patterns in the second ruleset.
Either this ain't right, or I'm misunderstanding something
Cheers
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
Hi Evan, On Mon, Mar 03, 2014 at 01:08:12PM -0800, Evan Rempel wrote:
It might be helpful to review bug 211 - dbparser pattern order breaks validation
Seems like a match, thanks for sharing. Sorry for failing to grep the bugdb first. Quoting the last update: "Unfortunately, I didn't have time to do this for 3.4, but it's on the TODO list for 3.5." time to poke Gergerly (again, sorry, much appreciated!)
participants (3)
-
Balazs Scheidler
-
Evan Rempel
-
Fabien Wernli