[syslog-ng] Cant get pattern matching to work

Evan Rempel erempel at uvic.ca
Sun Feb 12 02:12:25 CET 2012


you need to have a pattern for your ruleset, which will match the $program macro.

<patterndb version='3' pub_date='2011-02-11'>
    <ruleset name='session_close' id='123456678'>
        <pattern>RT_FLOW</pattern>
        <rules>
            <rule provider='cj' id='182437592347598' class='session'>
            <patterns>
                <pattern>@ESTRING:TEST1:::@ @ANYSTRING:TEST2@</pattern>
                </patterns>
            </rule>
        </rules>
    </ruleset>
</patterndb>

Then TEST1 should be
RT_FLOW_SESSION_CLOSE

and TEST2 should be
session closed unset: 192.168.199.253/55189->8.8.8.8/53 junos-dns-udp X.X.X.X/60836->8.8.8.8/53 source-nat-rule None 17 trust-to-untrust trust untrust 30455 1(83) 1(83) 2 N/A N/A N/A(N/A) vlan.0

home that helps.

Evan.
________________________________________
From: syslog-ng-bounces at lists.balabit.hu [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Chris Johnson [masterof0 at gmail.com]
Sent: Saturday, February 11, 2012 4:44 PM
To: Syslog-ng and developers' mailing list users'
Subject: [syslog-ng] Cant get pattern matching to work

Sorry for bombarding the mailing list with questions. I have been working through the documentation but just seem to keep hitting obstacles. I have compared this to the examples in the manual and some samples I was able to track down, but Im not seeing where I am going wrong. For this question, I am working with the following data:

"MESSAGE" : "RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.199.253/55189->8.8.8.8/53 junos-dns-udp X.X.X.X/60836->8.8.8.8/53 source-nat-rule None 17 trust-to-untrust trust untrust 30455 1(83) 1(83) 2 N/A N/A N/A(N/A) vlan.0",
"PROGRAM" : "RT_FLOW"

Based on this , I have generated the following pattern database and config just to see if I am heading down the right path. Unfortunately, what I thought would generate a pattern match on the logs and generate the appropriate macros, are not retuning anything. I have also tried taking out the $PROGRAM patter, but that did not seem to help. I have also validated this with pdbtool and it succeeds.

Any help is greatly appreciated
Chris

patterndb.xml

<patterndb version='3' pub_date='2011-02-11'>
<ruleset name='session_close' id='123456678'>
<rules>
<rule provider='cj' id='182437592347598' class='session'>
<patterns>
<pattern>
@ESTRING:TEST1:::@ @ANYSTRING:TEST2@
</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>


syslog-ng.conf

#####Destinations#####
destination d_mongodb {
        mongodb(
                value-pairs(
                        key("TEST1")
                        key("TEST2")
                        scope("base")
                )
        );
};

#####Parser#####
parser pattern_db {
        db_parser(
                file("/usr/local/etc/patterndb.xml")
        );
};

#####Log#####
log {
        source(s_network);
        parser(pattern_db);
        destination(d_mongodb);
};


Unfortunately, what I thought would pattern match and generate a macro for


More information about the syslog-ng mailing list