[syslog-ng] pdbtool parse with success but syslog-ng.conf NOT

Balazs Scheidler bazsi at balabit.hu
Fri Sep 3 22:05:34 CEST 2010


On Fri, 2010-09-03 at 10:56 -0700, Matthew Hall wrote:
> On Fri, Sep 03, 2010 at 03:07:03PM +0000, otgovorete at gmail.com wrote:
> > kosta at Kostadin:~$ /opt/syslog-ng/bin/pdbtool match -D -c -p
> > /opt/syslog-ng/var/login.parser.new.xml -P "ssh" -M "Sep 13 17:34:00
> > server1 sshd[20981]: Failed keyboard-interactive/pam for invalid
> > user dfgdf from xxxx port 3602 ssh2"
> > 
> > <rule provider='balabit' id='ssh-failed' class='violation'>
> > <patterns>
> > <pattern>@ESTRING:FailedLogin_MONTH: @@ESTRING:FailedLogin_DATE:
> > @@ESTRING:FailedLogin_TIME: @@ESTRING:FailedLogin_SERVER:
> > @@ESTRING:FailedL$
> > </patterns>
> > </rule>
> 
> I had this problem before as well. It's important to know that certain 
> headers are stripped off the message before they are parsed.
> 
> "Sep 13 17:34:00 server1 " should get stripped off before the match.
> 
> There's a thread from a while ago I started when I had this issue:

And before going any further, you could also use the patterndb patterns
which already covers this  and is already tested.

http://git.balabit.hu/bazsi/syslog-ng-patterndb.git

-- 
Bazsi




More information about the syslog-ng mailing list