[syslog-ng] Pattern matching.

Anup Shetty anupdshetty at gmail.com
Thu Dec 22 10:01:07 CET 2011 

Nope, no luck yet. Still blanks being spit out.

Here's the exact extract of the pattern matching and the log:

Pattern String
---------------------------

@ESTRING:user::@ Security Microsoft Windows security auditing.: [Success
Audit] A computer account was changed.    Subject:   Security ID:  S-1-5-7
  Account Name:  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon
ID:  0x3e6    Computer Account That Was Changed:   Security ID:  @ESTRING::
 @Account Name:   @ESTRING:ACC_NAME: @   Account Domain:  WW002    Changed
Attributes:   SAM Account Name: -   Display Name:  -   User Principal Name:
-   Home Directory:  -   Home Drive:  -   Script Path:  -   Profile Path:
 -   User Workstations: -   Password Last Set: @ESTRING:: @@ESTRING:: @
Account Expires:  -   Primary Group ID: -   AllowedToDelegateTo: -   Old
UAC Value:  -   New UAC Value:  -   User Account Control: -   User
Parameters: -   SID History:  -   Logon Hours:  -   DNS Host Name:  -
Service Principal Names: -    Additional Information:   Privileges:  -
(EventID 4742)

Log
------------------

Dec 22 03:38:32
Server.zoom11.test.netMicrosoft_Windows_security_auditing.[5784]: :
Security Microsoft Windows
security auditing.: [Success Audit] A computer account was changed.
 Subject:   Security ID:  S-1-5-7   Account Name:  ANONYMOUS LOGON
Account Domain:  NT AUTHORITY   Logon ID:  0x3e6    Computer Account That
Was Changed:   Security ID:  S-1-5-21-776561741-789336058-725345543-305444
  Account Name:  User1$   Account Domain:  TEST    Changed Attributes:
SAM Account Name: -   Display Name:  -   User Principal Name: -   Home
Directory:  -   Home Drive:  -   Script Path:  -   Profile Path:  -   User
Workstations: -   Password Last Set: 12/22/2011 3:38:32 AM   Account
Expires:  -   Primary Group ID: -   AllowedToDelegateTo: -   Old UAC Value:
 -   New UAC Value:  -   User Account Control: -   User Parameters: -   SID
History:  -   Logon Hours:  -   DNS Host Name:  -   Service Principal
Names: -    Additional Information:   Privileges:  - (EventID 4742)





2011/12/22 Fekete Róbert <frobert at balabit.hu>

>
> On Wednesday, December 21, 2011 16:22 CET, Anup Shetty <
> anupdshetty at gmail.com> wrote:
>
> > I am trying to match the pattern for DC logs and here is my XML format
> >
> > Here's the patterndb.xml file at /opt/syslog-ng/var/patterndb.xml"
> > ---------------------------------------
> > <?xml version='1.0' encoding='UTF-8'?>
> > <patterndb version='3' pub_date='2011-12-21'>
> > <ruleset id='90c9b341f4e3d63c5ed8b29950491bf8' name='Domain Ctrls'>
> > <rules>
> >         <rule provider='localtest' id='012c230f236d6a3f761ba956e7dff26a'
> > class='system'>
> >         <patterns>
> >                         <pattern>
> > @ESTRING:user::@ Security Microsoft Windows security auditing.: [Success
> > Audit] A computer account was changed.    Subject:   Security ID:
>  S-1-5-7
> >   Account Name:  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon
> > ID:  0x3e6    Computer Account That Was Changed:   Security ID:
>  @ESTRING::
> >  @Account Name:   @ESTRING:*ACC_NAME*: @   Account Domain:  testdomain
> >  Changed Attributes:   SAM Account Name: -   Display Name:  -   User
> > Principal Name: -   Home Directory:  -   Home Drive:  -   Script Path:  -
> > Profile Path:  -   User Workstations: -   Password Last Set: @ESTRING::
> > @@ESTRING:: @   Account Expires:  -   Primary Group ID: -
> > AllowedToDelegateTo: -   Old UAC Value:  -   New UAC Value:  -   User
> > Account Control: -   User Parameters: -   SID History:  -   Logon Hours:
>  -
> >   DNS Host Name:  -   Service Principal Names: -    Additional
> Information:
> >   Privileges:  - (EventID 4742)
> > </pattern>
> >                     </patterns>
> >
> > </rule>
> > </rules>
> > </ruleset>
> > </patterndb>
> >
> > ---------------------------------------
> > Here's the syslog-ng conf extract:
> > ---------------------------------------
> > parser pattern_db {
> >             db_parser(
> >                 file("/opt/syslog-ng/var/patterndb.xml")
> >             );
> >             };
> > destination patt_d{
> >
> file("/data/test/${R_YEAR}/${R_MONTH}/${R_DAY}/Domain_Ctrl__${SOURCEIP}_${R_YEAR}_${R_MONTH}_${R_DAY}.log"
> > owner("test")
> >                 group("test")
> >                 perm(0660)
> >                 dir-owner("test")
> >                 dir-group("test")
> >                 dir-perm(0770)
> > template("$*ACC_NAME*\n $MSG\n")
> >         );
> > };
> >
> > ---------------------------------
> >
> > but the *ACC_NAME* returns blank, although the log contains that field.
> Hi,
>
> Try
> template("${ACC_NAME}\n $MSG\n")
>
> HTH,
>
> Robert
>
> >
> >
> > --
> > Thanks
> > Anup
>
>
>
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 
Thanks and regards,
Anup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111222/d9197d0c/attachment.htm

More information about the syslog-ng mailing list