[syslog-ng] pdbtool parse with success but syslog-ng.conf NOT

otgovorete at gmail.com otgovorete at gmail.com
Fri Sep 3 17:07:03 CEST 2010


Hi guys,

I have following situation - I can parse with pdbtool bellow message  
successfully but when I parse it through syslog-ng.conf and  
put .classifier.class in DB I got "unknown" in the field where is  
placed .classifier.class or nothing when put the value FailedLogin_USERNAME  
in the table.
Please see my syslog-ng.conf file below.

Please help me to find the mistake. Thank you.

Kosta

Values:
MESSAGE=Sep 13 17:34:00 server1 sshd[20981]: Failed  
keyboard-interactive/pam for invalid user dfgdf from xxxx port 3602 ssh2
PROGRAM=ssh
.classifier.class=violation
.classifier.rule_id=ssh-failed
FailedLogin_MONTH=Sep
FailedLogin_DATE=13
FailedLogin_TIME=17:34:00
FailedLogin_SERVER=server1
FailedLogin_SERVICE.ID2=sshd[20981]:
FailedLogin_USERNAME=dfgdf
FailedLogin_SOURCE_IP=xxxx
FailedLogin_SOURCE.PORT=3602
kosta at Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p  
/opt/syslog-ng/var/login.parser.new.xml -P "ssh" -M "Sep 13 17:34:00  
server1 sshd[20981]: Failed keyboard-interactive/pam for invalid user dfgdf  
from xxxx port 3602 ssh2"


<rule provider='balabit' id='ssh-failed' class='violation'>
<patterns>
<pattern>@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE:  
@@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER: @@ESTRING:FailedL$
</patterns>
</rule>








################
# DESTINATIONS #
################

destination d_mssql_unix {
sql(type(mssql) host("medea.mobiltel.bg") port("1433")
username("syslog_ng") password("nglogp at ss") database("SysLog")
table("SYSLOG_unix1")columns("Date varchar(40)", "Time  
varchar(16)", "SourceServer varchar(8)", "SendingProgram varchar(5)", "PID  
varchar(6)$
values("$DATE_", "$TIME_", "$HOST", "$PROGRAM", "$PID", "${.classifier.class}"));
};

###############
# PARSER #
###############

parser pattern_db {
db_parser(file("/opt/syslog-ng/var/login.parser.new.xml"));
};

parser DateTime {
csv-parser(columns("DATE_", "TIME_")
delimiters("T")
flags(escape-none)
template("${ISODATE}"));
};


###############
# LOG #
###############

log {
source(s_net);
parser (DateTime);
parser(pattern_db);
destination(d_mssql_unix);
destination(d_messages_successful);
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100903/262dd82f/attachment-0001.htm 


More information about the syslog-ng mailing list