[syslog-ng] Pattern matching.

Fekete Róbert frobert at balabit.hu
Wed Dec 21 20:48:45 CET 2011 

 
On Wednesday, December 21, 2011 16:22 CET, Anup Shetty <anupdshetty at gmail.com> wrote: 
 
> I am trying to match the pattern for DC logs and here is my XML format
> 
> Here's the patterndb.xml file at /opt/syslog-ng/var/patterndb.xml"
> ---------------------------------------
> <?xml version='1.0' encoding='UTF-8'?>
> <patterndb version='3' pub_date='2011-12-21'>
> <ruleset id='90c9b341f4e3d63c5ed8b29950491bf8' name='Domain Ctrls'>
> <rules>
>         <rule provider='localtest' id='012c230f236d6a3f761ba956e7dff26a'
> class='system'>
>         <patterns>
>                         <pattern>
> @ESTRING:user::@ Security Microsoft Windows security auditing.: [Success
> Audit] A computer account was changed.    Subject:   Security ID:  S-1-5-7
>   Account Name:  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon
> ID:  0x3e6    Computer Account That Was Changed:   Security ID:  @ESTRING::
>  @Account Name:   @ESTRING:*ACC_NAME*: @   Account Domain:  testdomain
>  Changed Attributes:   SAM Account Name: -   Display Name:  -   User
> Principal Name: -   Home Directory:  -   Home Drive:  -   Script Path:  -
> Profile Path:  -   User Workstations: -   Password Last Set: @ESTRING::
> @@ESTRING:: @   Account Expires:  -   Primary Group ID: -
> AllowedToDelegateTo: -   Old UAC Value:  -   New UAC Value:  -   User
> Account Control: -   User Parameters: -   SID History:  -   Logon Hours:  -
>   DNS Host Name:  -   Service Principal Names: -    Additional Information:
>   Privileges:  - (EventID 4742)
> </pattern>
>                     </patterns>
> 
> </rule>
> </rules>
> </ruleset>
> </patterndb>
> 
> ---------------------------------------
> Here's the syslog-ng conf extract:
> ---------------------------------------
> parser pattern_db {
>             db_parser(
>                 file("/opt/syslog-ng/var/patterndb.xml")
>             );
>             };
> destination patt_d{
> file("/data/test/${R_YEAR}/${R_MONTH}/${R_DAY}/Domain_Ctrl__${SOURCEIP}_${R_YEAR}_${R_MONTH}_${R_DAY}.log"
> owner("test")
>                 group("test")
>                 perm(0660)
>                 dir-owner("test")
>                 dir-group("test")
>                 dir-perm(0770)
> template("$*ACC_NAME*\n $MSG\n")
>         );
> };
> 
> ---------------------------------
> 
> but the *ACC_NAME* returns blank, although the log contains that field.
Hi, 

Try 
template("${ACC_NAME}\n $MSG\n")

HTH, 

Robert

> 
> 
> -- 
> Thanks
> Anup

More information about the syslog-ng mailing list