[syslog-ng] patterndb: collect login/logout samples

Balazs Scheidler bazsi at balabit.hu
Thu Jul 15 16:28:54 CEST 2010 

On Tue, 2010-07-13 at 10:35 -0500, Martin Holste wrote:
> Here's one for an Apache basic auth failure on SLES 10 with the
> default Apache log format:
> 
> [Mon Jul 12 08:55:22 2010] [error] [client 10.10.66.7] user xxxx:
> authentication failure for "/": Password Mismatch

I've created an apache2.pdb file under 'file-service' directory (but I'm
open for suggestion regarding the directory name) and added your pattern
as:

+      <rule provider="patterndb" id="5402ccee-d854-4f1e-877c-3c9332b6cc0e" class="system">
+        <patterns>
+          <pattern>[error] [client @ESTRING:usracct.device:]@ user @ESTRING:usracct.username::@ authentication failure for @QSTRING:usracct.object:"@: @ANYSTRING:details@</pattern>
+        </patterns>
+        <examples>
+          <example>
+           <test_message program="sshd">[error] [client 10.10.66.7] user xxxx: authentication failure for "/": Password Mismatch</test_message>
+           <test_values>
+            <test_value name="usracct.username">xxxx</test_value>
+            <test_value name="usracct.device">10.10.66.7</test_value>
+            <test_value name="usracct.service">http</test_value>
+            <test_value name="usracct.object">/</test_value>
+            <test_value name="details">Password Mismatch</test_value>
+           </test_values>
+          </example>
+        </examples>
+        <values>
+          <value name="usracct.type">login</value>
+          <value name="usracct.application">$PROGRAM</value>
+          <value name="secevt.verdict">REJECT</value>
+        </values>
+        <tags>
+          <tag>usracct</tag>
+          <tag>secevt</tag>
+        </tags>
+      </rule>

This sample was very good, because:
  1) I recognized that an "object" might be needed in the usracct schema 
     to describe the object being accessed
  2) I've found a bug in "pdbtool match --debug-pattern", fixed in OSE 3.2 tree
  3) I noted that once I start adding an apache2 configuration snippet to SCL we need 
     to make sure that the timestamp is not included in the message.

My solution not to include the timestamp was that apache2 doesn't include
that when it directly uses syslog(). However when reading the apache2 log 
files directly, it is there. I'm not sure how to handle this properly from 
within SCL right now, but I'll find a way to do that.

-- 
Bazsi

More information about the syslog-ng mailing list