[syslog-ng] syslog-ng Digest, Vol 80, Issue 33

Martin Holste mcholste at gmail.com
Fri Dec 23 15:39:46 CET 2011 

Ah, "test" is only available in syslog-ng 3.3, so if you've got 3.2,
you'll need to do the traditional way with "match."

On Fri, Dec 23, 2011 at 5:25 AM, Anup Shetty <anupdshetty at gmail.com> wrote:
> I cant execute those commands. Here's the error
>
> Unknown command
> Syntax: pdbtool <command> [options]
> Possible commands are:
>     match        Match a message against the pattern database
>     dump         Dump pattern datebase tree
>     merge        Merge pattern databases
>     dictionary   Dump pattern dictionary
>
> Version
>
> syslog-ng-premium-edition 3.2.1
> Installer-Version: 3.2.1
>
>
>
>>
>>
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 22 Dec 2011 13:11:05 -0600
>> From: Martin Holste <mcholste at gmail.com>
>> Subject: Re: [syslog-ng] Pattern matching.
>> To: "Syslog-ng users' and developers' mailing list"
>>        <syslog-ng at lists.balabit.hu>
>> Message-ID:
>>
>>  <CANpnLHgau7bZrSP2ro0QY=a8ZcJZLyqJgAVegWufDuszOjuCMA at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> You can also include an example pattern as part of the actual rule like
>> this:
>>
>> <ruleset>
>>                <program></program>
>>                <rule id="2">
>>                        <pattern>@ESTRING:user::@ Security Microsoft
>> Windows security auditing.: [Success Audit] A computer account was
>> changed.    Subject:   Security ID:  S-1-5-7   Account Name:
>> ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon ID:  0x3e6
>> Computer Account That Was Changed:   Security ID:  @ESTRING::
>> @Account Name:   @ESTRING:ACC_NAME: @   Account Domain:  WW002
>> Changed Attributes:   SAM Account Name: -   Display Name:  -   User
>> Principal Name: -   Home Directory:  -   Home Drive:  -   Script Path:
>>  -   Profile Path:  -   User Workstations: -   Password Last Set:
>> @ESTRING:: @@ESTRING:: @   Account Expires:  -   Primary Group ID: -
>> AllowedToDelegateTo: -   Old UAC Value:  -   New UAC Value:  -   User
>> Account Control: -   User Parameters: -   SID History:  -   Logon
>> Hours:  -   DNS Host Name:  -   Service Principal Names: -
>> Additional Information:   Privileges:  - (EventID 4742)</pattern>
>>                        <examples>
>>                                <example>
>>                                        <test_message
>> program="Microsoft_Windows_security_auditing.[5784]">: Security
>> Microsoft Windows security auditing.: [Success Audit] A computer
>> account was changed.    Subject:   Security ID:  S-1-5-7   Account
>> Name:  ANONYMOUS LOGON   Account Domain:  NT AUTHORITY   Logon ID:
>> 0x3e6    Computer Account That Was Changed:   Security ID:
>> S-1-5-21-776561741-789336058-725345543-305444   Account Name:  User1$
>>  Account Domain:  TEST    Changed Attributes:   SAM Account Name: -
>> Display Name:  -   User Principal Name: -   Home Directory:  -   Home
>> Drive:  -   Script Path:  -   Profile Path:  -   User Workstations: -
>>  Password Last Set: 12/22/2011 3:38:32 AM   Account Expires:  -
>> Primary Group ID: -   AllowedToDelegateTo: -   Old UAC Value:  -   New
>> UAC Value:  -   User Account Control: -   User Parameters: -   SID
>> History:  -   Logon Hours:  -   DNS Host Name:  -   Service Principal
>> Names: -    Additional Information:   Privileges:  - (EventID
>> 4742)</test_message>
>>                                        <test_value
>> name="ACC_NAME">User1$</test_value>
>>                                </example>
>>                        </examples>
>>                </rule>
>>        </ruleset>
>>
>> Then you can test it more easily like this:
>> pdbtool test patterndb.xml
>>
>> On Thu, Dec 22, 2011 at 8:04 AM, Balazs Scheidler <bazsi at balabit.hu>
>> wrote:
>> > On Thu, 2011-12-22 at 14:31 +0530, Anup Shetty wrote:
>> >> Nope, no luck yet. Still blanks being spit out.
>> >>
>> >>
>> >> Here's the exact extract of the pattern matching and the log:
>> >>
>> >>
>> >> Pattern String
>> >> ---------------------------
>> >>
>> >>
>> >> @ESTRING:user::@ Security Microsoft Windows security auditing.:
>> >> [Success Audit] A computer account was changed. ? ?Subject: ? Security
>> >> ID: ?S-1-5-7 ? Account Name: ?ANONYMOUS LOGON ? Account Domain: ?NT
>> >> AUTHORITY ? Logon ID: ?0x3e6 ? ?Computer Account That Was Changed:
>> >> Security ID: ?@ESTRING:: ?@Account Name: ? @ESTRING:ACC_NAME: @
>> >> Account Domain: ?WW002 ? ?Changed Attributes: ? SAM Account Name: -
>> >> Display Name: ?- ? User Principal Name: - ? Home Directory: ?- ? Home
>> >> Drive: ?- ? Script Path: ?- ? Profile Path: ?- ? User Workstations: -
>> >> Password Last Set: @ESTRING:: @@ESTRING:: @ ? Account Expires: ?-
>> >> Primary Group ID: - ? AllowedToDelegateTo: - ? Old UAC Value: ?- ? New
>> >> UAC Value: ?- ? User Account Control: - ? User Parameters: - ? SID
>> >> History: ?- ? Logon Hours: ?- ? DNS Host Name: ?- ? Service Principal
>> >> Names: - ? ?Additional Information: ? Privileges: ?- (EventID 4742)
>> >>
>> >>
>> >> Log
>> >> ------------------
>> >>
>> >>
>> >> Dec 22 03:38:32 Server.zoom11.test.net
>> >> Microsoft_Windows_security_auditing.[5784]: : Security Microsoft
>> >> Windows security auditing.: [Success Audit] A computer account was
>> >> changed. ? ?Subject: ? Security ID: ?S-1-5-7 ? Account Name:
>> >> ?ANONYMOUS LOGON ? Account Domain: ?NT AUTHORITY ? Logon ID: ?0x3e6
>> >> ?Computer Account That Was Changed: ? Security ID:
>> >> ?S-1-5-21-776561741-789336058-725345543-305444 ? Account Name: ?User1$
>> >> Account Domain: ?TEST ? ?Changed Attributes: ? SAM Account Name: -
>> >> Display Name: ?- ? User Principal Name: - ? Home Directory: ?- ? Home
>> >> Drive: ?- ? Script Path: ?- ? Profile Path: ?- ? User Workstations: -
>> >> Password Last Set: 12/22/2011 3:38:32 AM ? Account Expires: ?-
>> >> Primary Group ID: - ? AllowedToDelegateTo: - ? Old UAC Value: ?- ? New
>> >> UAC Value: ?- ? User Account Control: - ? User Parameters: - ? SID
>> >> History: ?- ? Logon Hours: ?- ? DNS Host Name: ?- ? Service Principal
>> >> Names: - ? ?Additional Information: ? Privileges: ?- (EventID 4742)
>> >>
>> >>
>> > "pdbtool match" can be used to test patterns.
>> >
>> > pdbtool patch -p <path to xml file> -P '<appname>' -M '<msg>' --debug
>> > --color-out
>> >
>> > This even colours the output so that the partial matches can be
>> > recognized. This is the best way to troubleshoot patterns.
>> >
>> > --
>> > Bazsi
>> >
>> >
>
>
>
> --
> Thanks and regards,
> Anup
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

More information about the syslog-ng mailing list