[syslog-ng] Message parameter substitution

Anup Shetty anupdshetty at gmail.com
Wed Dec 21 14:30:01 CET 2011 

One copy of the original logs is logged on to the disk and the anonimized
copy gets forwarded.

On Wed, Dec 21, 2011 at 6:47 PM, Balazs Scheidler <bazsi at balabit.hu> wrote:

> On Wed, 2011-12-21 at 14:31 +0530, Anup Shetty wrote:
> > I am new to syslog-ng and would like some help on the pattern matching
> > and the substitution option. Currently the requirement is to
> > substitute a parameter in the message with a random value in order to
> > anonymize it.
> >
> > For example:
> >
> > Dec 31 23:13:25 servername sshd[25218]: Failed
> > keyboard-interactive/pam for user1 from 10.x.x.x port 47325 ssh2
> >
> >
> > If I create a pattern database for this message and pick out the
> > username using the string and substitute it user1 to say anon1, will I
> > be able to store the original-substituted value pair for this user and
> > use it repeatedly?
> > Would I be able to do it for all the subsequent logs?
> >
> >
> > To be more clear, an example substitution process that must happen as
> > the logs arrive and the patterns are matched.
> > log with user1 arrives and is substituted by anon1
> > log with user2 arrives and is substituted by anon2
> > again log with user1 arrives and is again substituted by anon1
> > log with user3 arrives and is substituted by anon3
> > again log with user2 arrives and is again substituted by anon2
> > .
> > .
> > .
> > .
> > This is required so that once the usernames are substituted for
> > attaining anonymity, there must be a way to reverse them for audit
> > purposes.
>
> you want to do that on-the-fly or during postprocessing?
>
> Right now it is not possible to do with patterndb only as it only
> extracts information from messages and never changes them, but
> anonimization has always been a hidden agenda of patterndb, which never
> materialized.
>
> --
> Bazsi
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 
Thanks
Anup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111221/efe2b1f4/attachment.htm

More information about the syslog-ng mailing list