[syslog-ng] patterndb

Fri Nov 18 19:11:02 CET 2011

Basically, but you'll want to use a special template to take advantage
of the parsed stuff.  Here's a bare example from ELSA again:

http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/node/conf/syslog-ng.conf

On Fri, Nov 18, 2011 at 11:28 AM, Gianluca Tranelli
<g.tranelli at inarcassa.it> wrote:
> Thanks but what exactly I have to write in my syslog-ng.conf?
> I wrote this:
>
> destination d_garante {
> file("/var/log/garante");
> };
>
> parser pattern_db {
> db_parser( file("/var/lib/syslog-ng/patterndb.xml"));
> };
>
> log {
> source(s_local);
> source(s_network);
> parser(pattern_db);
> destination( d_garante);
> };
>
> is this right?
>
>
> ----- Messaggio da mcholste at gmail.com ---------
> Data: Fri, 18 Nov 2011 09:15:33 -0600
> Da: Martin Holste <mcholste at gmail.com>
> Rispondi-A: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
> Oggetto: Re: [syslog-ng] patterndb
> A: Syslog-ng users' and developers' mailing list
> <syslog-ng at lists.balabit.hu>
>
>
>> From
>>
>> http://enterprise-log-search-and-archive.googlecode.com/svn/trunk/elsa/node/conf/patterndb.xml:
>>
>> <patterndb version='3' pub_date='2009-11-04'>
>>         <ruleset name="ssh">
>>                 <pattern>sshd</pattern>
>>                 <rules>
>>                         <rule class="11" id="11">
>>                                 <patterns>
>>                                         <!-- s0=usracct.authmethod,
>> s1=usracct.username,
>> s2=usracct.device, i0=port, s3=usracct.service -->
>>                                         <pattern>Accepted @ESTRING:s0:
>> @for @ESTRING:s1: @from
>> @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
>>                                 </patterns>
>>                         </rule>
>>                         <rule class="12" id="12">
>>                                 <patterns>
>>                                         <!-- s0=usracct.authmethod,
>> s1=usracct.username,
>> s2=usracct.device, i0=port, s3=usracct.service -->
>>                                         <pattern>Failed @ESTRING:s0: @for
>> @ESTRING:s1: @from @ESTRING:s2:
>> @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
>>                                         <pattern>Failed @ESTRING:s0: @for
>> invalid user @ESTRING:s1: @from
>> @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
>>                                         <pattern>Failed @ESTRING:s0: @for
>> illegal user @ESTRING:s1: @from
>> @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
>>                                 </patterns>
>>                         </rule>
>>                         <rule class="13" id="13">
>>                                 <patterns>
>>                                         <!-- s0=usracct.username -->
>>                                         <pattern>pam_unix(sshd:session):
>> session closed for user
>> @ANYSTRING:s0:@</pattern>
>>                                         <pattern>session closed for user
>> @ANYSTRING:s0:@</pattern>
>>                                 </patterns>
>>                         </rule>
>>                 </rules>
>>         </ruleset>
>> </patterndb>
>> On Fri, Nov 18, 2011 at 2:31 AM, Gianluca Tranelli
>> <g.tranelli at inarcassa.it> wrote:
>>> Good morning everybody, the time is very good here in Rome, but I don't
>>> want
>>> to talk abbout the weather but about patterndb that is driving me crazy.
>>> After reading all the administration guide v3.3, I found an example of
>>> using
>>> patterndb to log the duration of an ssh Linux and to log a new formatted
>>> message. I just copied the XML, ran update-patterndb but nothing happen.
>>> Do
>>> i miss something? Can someone post a complete working example on ssh?
>>> Patterndb is driving me crazy.
>>>
>>> Thank you in advance.
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
>
> ----- Fine messaggio da mcholste at gmail.com -----
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>