[syslog-ng] Solving parsing problem

[otgovorete at gmail.com]

Hi guys,

I have done parser for the authentication logs of HPUX. Here is the  
situation:

A)Sep 22 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam  
for username from xxxx port 1691 ssh2
B)Sep 2 13:14:24 serverone sshd[12934]: Accepted keyboard-interactive/pam  
for username from xxxx port 1691 ssh2

The parser i've made parses successfully A but not B. The problem is extra  
whitespace when the date is one digit. I am testing parsing with pdbtool of  
syslog-ng.

The outcome of parsing of A is:
PROGRAM=ssh
.classifier.class=legitimate
.classifier.rule_id=ssh-succeed
SucceedLogin_MONTH=Sep
SucceedLogin_DATE=22
SucceedLogin_TIME=13:14:24
SucceedLogin_SERVER=serverone
SucceedLogin_SERVICE.ID=sshd[12934]:
SucceedLogin_USER_NAME=username
SucceedLogin_DESTINATION=xxxx
SucceedLogin_SOURCE.PORT=1691

The outcome of parsing if B is:
Matching part:
Sep 2 13:14:24 serverone
Values:
MESSAGE=Sep 2 13:14:24 serverone sshd[12934]: Accepted  
keyboard-interactive/pam for username from xxxx port 1691 ssh2
PROGRAM=ssh
.classifier.class=unknown

Here is the parser from xml file:

<patterns> <pattern>@ESTRING:SucceedLogin_MONTH:  
@@ESTRING:SucceedLogin_DATE: @@ESTRING:SucceedLogin_TIME:  
@@ESTRING:SucceedLogin_SERVER: @@ESTRING:SucceedLogin_SERVICE.ID: @Accepted  
keyboard-interactive/pam for @ESTRING:SucceedLogin_USER_NAME: @from  
@ESTRING:SucceedLogin_DESTINATION: @port @ESTRING:SucceedLogin_SOURCE.PORT:  
@ssh2</pattern> </patterns>

and here is the command pdbtool:

/opt/syslog-ng/bin/pdbtool match -D -c -p login.parser.new.xml -P "ssh"  
-M "Sep 22 13:14:24 serverone sshd[12934]: Accepted  
keyboard-interactive/pam for username from xxxx port 1691 ssh2"

Please, advice me how to proceed. Thank you.

Kosta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100902/ec8ffa50/attachment.htm