[syslog-ng] pdbtool parse with success but syslog-ng.conf NOT
otgovorete at gmail.com
otgovorete at gmail.com
Fri Sep 3 17:07:03 CEST 2010
Hi guys,
I have following situation - I can parse with pdbtool bellow message
successfully but when I parse it through syslog-ng.conf and
put .classifier.class in DB I got "unknown" in the field where is
placed .classifier.class or nothing when put the value FailedLogin_USERNAME
in the table.
Please see my syslog-ng.conf file below.
Please help me to find the mistake. Thank you.
Kosta
Values:
MESSAGE=Sep 13 17:34:00 server1 sshd[20981]: Failed
keyboard-interactive/pam for invalid user dfgdf from xxxx port 3602 ssh2
PROGRAM=ssh
.classifier.class=violation
.classifier.rule_id=ssh-failed
FailedLogin_MONTH=Sep
FailedLogin_DATE=13
FailedLogin_TIME=17:34:00
FailedLogin_SERVER=server1
FailedLogin_SERVICE.ID2=sshd[20981]:
FailedLogin_USERNAME=dfgdf
FailedLogin_SOURCE_IP=xxxx
FailedLogin_SOURCE.PORT=3602
kosta at Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p
/opt/syslog-ng/var/login.parser.new.xml -P "ssh" -M "Sep 13 17:34:00
server1 sshd[20981]: Failed keyboard-interactive/pam for invalid user dfgdf
from xxxx port 3602 ssh2"
<rule provider='balabit' id='ssh-failed' class='violation'>
<patterns>
<pattern>@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE:
@@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER: @@ESTRING:FailedL$
</patterns>
</rule>
################
# DESTINATIONS #
################
destination d_mssql_unix {
sql(type(mssql) host("medea.mobiltel.bg") port("1433")
username("syslog_ng") password("nglogp at ss") database("SysLog")
table("SYSLOG_unix1")columns("Date varchar(40)", "Time
varchar(16)", "SourceServer varchar(8)", "SendingProgram varchar(5)", "PID
varchar(6)$
values("$DATE_", "$TIME_", "$HOST", "$PROGRAM", "$PID", "${.classifier.class}"));
};
###############
# PARSER #
###############
parser pattern_db {
db_parser(file("/opt/syslog-ng/var/login.parser.new.xml"));
};
parser DateTime {
csv-parser(columns("DATE_", "TIME_")
delimiters("T")
flags(escape-none)
template("${ISODATE}"));
};
###############
# LOG #
###############
log {
source(s_net);
parser (DateTime);
parser(pattern_db);
destination(d_mssql_unix);
destination(d_messages_successful);
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100903/262dd82f/attachment-0001.htm
More information about the syslog-ng
mailing list