[syslog-ng] Pattern matching.

Balazs Scheidler bazsi at balabit.hu
Thu Dec 22 15:04:49 CET 2011 

On Thu, 2011-12-22 at 14:31 +0530, Anup Shetty wrote:
> Nope, no luck yet. Still blanks being spit out. 
> 
> 
> Here's the exact extract of the pattern matching and the log:
> 
> 
> Pattern String
> ---------------------------
> 
> 
> @ESTRING:user::@ Security Microsoft Windows security auditing.:
> [Success Audit] A computer account was changed.    Subject:   Security
> ID:  S-1-5-7   Account Name:  ANONYMOUS LOGON   Account Domain:  NT
> AUTHORITY   Logon ID:  0x3e6    Computer Account That Was Changed:
> Security ID:  @ESTRING::  @Account Name:   @ESTRING:ACC_NAME: @
> Account Domain:  WW002    Changed Attributes:   SAM Account Name: -
> Display Name:  -   User Principal Name: -   Home Directory:  -   Home
> Drive:  -   Script Path:  -   Profile Path:  -   User Workstations: -
> Password Last Set: @ESTRING:: @@ESTRING:: @   Account Expires:  -
> Primary Group ID: -   AllowedToDelegateTo: -   Old UAC Value:  -   New
> UAC Value:  -   User Account Control: -   User Parameters: -   SID
> History:  -   Logon Hours:  -   DNS Host Name:  -   Service Principal
> Names: -    Additional Information:   Privileges:  - (EventID 4742)
> 
> 
> Log
> ------------------
> 
> 
> Dec 22 03:38:32 Server.zoom11.test.net
> Microsoft_Windows_security_auditing.[5784]: : Security Microsoft
> Windows security auditing.: [Success Audit] A computer account was
> changed.    Subject:   Security ID:  S-1-5-7   Account Name:
>  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon ID:  0x3e6
>  Computer Account That Was Changed:   Security ID:
>  S-1-5-21-776561741-789336058-725345543-305444   Account Name:  User1$
> Account Domain:  TEST    Changed Attributes:   SAM Account Name: -
> Display Name:  -   User Principal Name: -   Home Directory:  -   Home
> Drive:  -   Script Path:  -   Profile Path:  -   User Workstations: -
> Password Last Set: 12/22/2011 3:38:32 AM   Account Expires:  -
> Primary Group ID: -   AllowedToDelegateTo: -   Old UAC Value:  -   New
> UAC Value:  -   User Account Control: -   User Parameters: -   SID
> History:  -   Logon Hours:  -   DNS Host Name:  -   Service Principal
> Names: -    Additional Information:   Privileges:  - (EventID 4742)
> 
> 
"pdbtool match" can be used to test patterns.

pdbtool patch -p <path to xml file> -P '<appname>' -M '<msg>' --debug --color-out

This even colours the output so that the partial matches can be
recognized. This is the best way to troubleshoot patterns.

-- 
Bazsi

More information about the syslog-ng mailing list