[syslog-ng] Solving parsing problem

Balazs Scheidler bazsi at balabit.hu
Thu Sep 2 17:44:58 CEST 2010 

On Thu, 2010-09-02 at 13:12 +0000, otgovorete at gmail.com wrote:
> Hi guys,
> 
> I have done parser for the authentication logs of HPUX. Here is the
> situation:
> 
> A)Sep 22 13:14:24 serverone sshd[12934]: Accepted
> keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
> B)Sep 2 13:14:24 serverone sshd[12934]: Accepted
> keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
> 
> The parser i've made parses successfully A but not B. The problem is
> extra whitespace when the date is one digit. I am testing parsing with
> pdbtool of syslog-ng.
> 
> The outcome of parsing of A is:
> PROGRAM=ssh
> .classifier.class=legitimate
> .classifier.rule_id=ssh-succeed
> SucceedLogin_MONTH=Sep
> SucceedLogin_DATE=22
> SucceedLogin_TIME=13:14:24
> SucceedLogin_SERVER=serverone
> SucceedLogin_SERVICE.ID=sshd[12934]:
> SucceedLogin_USER_NAME=username
> SucceedLogin_DESTINATION=x.x.x.x
> SucceedLogin_SOURCE.PORT=1691
> 
> The outcome of parsing if B is:
> Matching part:
> Sep 2 13:14:24 serverone
> Values:
> MESSAGE=Sep 2 13:14:24 serverone sshd[12934]: Accepted
> keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2
> PROGRAM=ssh
> .classifier.class=unknown
> 
> Here is the parser from xml file:
> 
> <patterns> <pattern>@ESTRING:SucceedLogin_MONTH:
> @@ESTRING:SucceedLogin_DATE: @@ESTRING:SucceedLogin_TIME:
> @@ESTRING:SucceedLogin_SERVER: @@ESTRING:SucceedLogin_SERVICE.ID:
> @Accepted keyboard-interactive/pam for
> @ESTRING:SucceedLogin_USER_NAME: @from
> @ESTRING:SucceedLogin_DESTINATION: @port
> @ESTRING:SucceedLogin_SOURCE.PORT: @ssh2</pattern> </patterns>
> 
> and here is the command pdbtool:
> 
> /opt/syslog-ng/bin/pdbtool match -D -c -p login.parser.new.xml -P
> "ssh" -M "Sep 22 13:14:24 serverone sshd[12934]: Accepted
> keyboard-interactive/pam for username from x.x.x.x port 1691 ssh2"
> 
> Please, advice me how to proceed. Thank you.

With -M you need to use pass only the $MSG portion of the syslog
message. Alternatively you can use pdbtool match -f <filename> which
will read and _parse_ syslog messages from the given file and only pass
the payload  for parsing.

So, in your rule, you don't need the day/month macros.

And if you really wanted to parse the date, you could perhaps use the
@NUMBER@ parser.

-- 
Bazsi

More information about the syslog-ng mailing list