[syslog-ng] Pattern matching.

Anup Shetty anupdshetty at gmail.com
Wed Dec 21 16:22:03 CET 2011 

I am trying to match the pattern for DC logs and here is my XML format

Here's the patterndb.xml file at /opt/syslog-ng/var/patterndb.xml"
---------------------------------------
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='3' pub_date='2011-12-21'>
<ruleset id='90c9b341f4e3d63c5ed8b29950491bf8' name='Domain Ctrls'>
<rules>
        <rule provider='localtest' id='012c230f236d6a3f761ba956e7dff26a'
class='system'>
        <patterns>
                        <pattern>
@ESTRING:user::@ Security Microsoft Windows security auditing.: [Success
Audit] A computer account was changed.    Subject:   Security ID:  S-1-5-7
  Account Name:  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon
ID:  0x3e6    Computer Account That Was Changed:   Security ID:  @ESTRING::
 @Account Name:   @ESTRING:*ACC_NAME*: @   Account Domain:  testdomain
 Changed Attributes:   SAM Account Name: -   Display Name:  -   User
Principal Name: -   Home Directory:  -   Home Drive:  -   Script Path:  -
Profile Path:  -   User Workstations: -   Password Last Set: @ESTRING::
@@ESTRING:: @   Account Expires:  -   Primary Group ID: -
AllowedToDelegateTo: -   Old UAC Value:  -   New UAC Value:  -   User
Account Control: -   User Parameters: -   SID History:  -   Logon Hours:  -
  DNS Host Name:  -   Service Principal Names: -    Additional Information:
  Privileges:  - (EventID 4742)
</pattern>
                    </patterns>

</rule>
</rules>
</ruleset>
</patterndb>

---------------------------------------
Here's the syslog-ng conf extract:
---------------------------------------
parser pattern_db {
            db_parser(
                file("/opt/syslog-ng/var/patterndb.xml")
            );
            };
destination patt_d{
file("/data/test/${R_YEAR}/${R_MONTH}/${R_DAY}/Domain_Ctrl__${SOURCEIP}_${R_YEAR}_${R_MONTH}_${R_DAY}.log"
owner("test")
                group("test")
                perm(0660)
                dir-owner("test")
                dir-group("test")
                dir-perm(0770)
template("$*ACC_NAME*\n $MSG\n")
        );
};

---------------------------------

but the *ACC_NAME* returns blank, although the log contains that field.


-- 
Thanks
Anup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111221/427801ae/attachment.htm

More information about the syslog-ng mailing list