[syslog-ng] pdbtool parse with success but syslog-ng.conf NOT
Matthew Hall
mhall at mhcomputing.net
Fri Sep 3 19:56:14 CEST 2010
On Fri, Sep 03, 2010 at 03:07:03PM +0000, otgovorete at gmail.com wrote:
> kosta at Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p
> /opt/syslog-ng/var/login.parser.new.xml -P "ssh" -M "Sep 13 17:34:00
> server1 sshd[20981]: Failed keyboard-interactive/pam for invalid
> user dfgdf from xxxx port 3602 ssh2"
>
> <rule provider='balabit' id='ssh-failed' class='violation'>
> <patterns>
> <pattern>@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE:
> @@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER:
> @@ESTRING:FailedL$
> </patterns>
> </rule>
I had this problem before as well. It's important to know that certain
headers are stripped off the message before they are parsed.
"Sep 13 17:34:00 server1 " should get stripped off before the match.
There's a thread from a while ago I started when I had this issue:
https://lists.balabit.hu/pipermail/syslog-ng/2010-August/014588.html
More information about the syslog-ng
mailing list