Changing a value after a match with patterndb
Is it possible to substitute a value after a pattern match? For example, in the pattern below if I match the "23" then use value "telnet", but if it is a "22", then "ssh". %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test] [Source: 131.212.1.1] [localport: 23] [Reason: Login Authentication Failed] at 10:38:41 CST Thu Jan 23 2014 I am trying to use one pattern to match both cases and we'd prefer to have service names rather than port numbers in our db. -- Mark Shetka Infrastructure Analyst - Network Team Information Technology Systems & Services University of Minnesota - Duluth (218) 726-7682
Hi Mark, You can use template functions in patterndb [1]. The idea is to add a value to the matched message, which contains the result of a template function. You could for instance use the "if" function: <values> <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value> </values> If you need anything more complex, and if you are using the 3.7.x series, you could even use a python script using the "python" template function. Cheers [1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file: parser { channel { parser { db-parser(); }; rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); }; rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); }; }; }; We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction. My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping. -- Bazsi On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Mark,
You can use template functions in patterndb [1]. The idea is to add a value to the matched message, which contains the result of a template function. You could for instance use the "if" function:
<values> <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value> </values>
If you need anything more complex, and if you are using the 3.7.x series, you could even use a python script using the "python" template function.
Cheers
[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
AFAIK there is a getent() function in syslog-ng-incubator for the port -> protocol translation. 2016-01-12 17:15 GMT+01:00 Scheidler, Balázs <balazs.scheidler@balabit.com>:
I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:
parser { channel { parser { db-parser(); }; rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); }; rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); }; }; };
We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction.
My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.
-- Bazsi
On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Mark,
You can use template functions in patterndb [1]. The idea is to add a value to the matched message, which contains the result of a template function. You could for instance use the "if" function:
<values> <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value> </values>
If you need anything more complex, and if you are using the 3.7.x series, you could even use a python script using the "python" template function.
Cheers
[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
that might be the case for the port mapping, however I think it would be nice to have map() as a rewrite operation, e.g. one that maps specific values to others. And also, improving the conditional evaluation somehow would be great. Right now we have to do stuff like: channel { log { filter(blabla); conditional processing here; flags(final); }; log { filter(blabla2); conditional2 processing here; flags(final); }; log { filter(blabla3); conditional3 processing here; flags(final); }; }; It would be _much_ nicer to have something like this: channel { if (blabla) { conditional processing here; }; if (blabla2) { conditional2 processing here; }; if (blabla3) { conditional3 processing here; }; }; We could perhaps add else as well. -- Bazsi On Tue, Jan 12, 2016 at 5:25 PM, Tibor Benke <ihrwein@gmail.com> wrote:
AFAIK there is a getent() function in syslog-ng-incubator for the port -> protocol translation.
2016-01-12 17:15 GMT+01:00 Scheidler, Balázs <balazs.scheidler@balabit.com
:
I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:
parser { channel { parser { db-parser(); }; rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); }; rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); }; }; };
We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction.
My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.
-- Bazsi
On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Mark,
You can use template functions in patterndb [1]. The idea is to add a value to the matched message, which contains the result of a template function. You could for instance use the "if" function:
<values> <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value> </values>
If you need anything more complex, and if you are using the 3.7.x series, you could even use a python script using the "python" template function.
Cheers
[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks. Do you know when set condition became available in rewrite? -- Mark Shetka Infrastructure Analyst - Network Team Information Technology Systems & Services University of Minnesota - Duluth (218) 726-7682 On Tue, Jan 12, 2016 at 10:15 AM, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:
parser { channel { parser { db-parser(); }; rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); }; rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); }; }; };
We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction.
My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.
-- Bazsi
On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Mark,
You can use template functions in patterndb [1]. The idea is to add a value to the matched message, which contains the result of a template function. You could for instance use the "if" function:
<values> <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value> </values>
If you need anything more complex, and if you are using the 3.7.x series, you could even use a python script using the "python" template function.
Cheers
[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
it was implemented in 2010, in syslog-ng 3.2 by this patch: Author: Balazs Scheidler <bazsi@balabit.hu> 2010-07-29 09:59:53 Committer: Balazs Scheidler <bazsi@balabit.hu> 2010-07-29 09:59:53 Parent: aeab9e22207cb7700a0e0cfb359e2f1adc221301 (logrewrite: cleaned up naming of subst specific methods) Branches: master and many more (547) Follows: v3.2alpha1 Precedes: v3.2beta1 rewrite: implement condition() option for rewrite expressions This patch implements condition() option for rewrite expression, which makes it possible to only apply a given reply rule if the message matches the filter. For example: set("something new" condition(facility(auth))); -- Bazsi On Tue, Jan 12, 2016 at 5:54 PM, Mark Shetka <mshetka@d.umn.edu> wrote:
Thanks. Do you know when set condition became available in rewrite?
-- Mark Shetka Infrastructure Analyst - Network Team Information Technology Systems & Services University of Minnesota - Duluth (218) 726-7682
On Tue, Jan 12, 2016 at 10:15 AM, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:
parser { channel { parser { db-parser(); }; rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); }; rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); }; }; };
We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction.
My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.
-- Bazsi
On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <wernli@in2p3.fr> wrote:
Hi Mark,
You can use template functions in patterndb [1]. The idea is to add a value to the matched message, which contains the result of a template function. You could for instance use the "if" function:
<values> <value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value> </values>
If you need anything more complex, and if you are using the 3.7.x series, you could even use a python script using the "python" template function.
Cheers
[1] https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-g...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (4)
-
Fabien Wernli
-
Mark Shetka
-
Scheidler, Balázs
-
Tibor Benke