[syslog-ng] Please help getting patterndb working.

Nick linickx at gmail.com
Tue Dec 17 12:16:35 CET 2013


Hello,

By following the documentation examples I think I have recreated a
custom parser, but it doesn't work, please can you advise what I have
missed?

To create my patterndb I have used the example in link [1], to load it
and output to a file I have kinda copied the example in link [2].

The issue I have is that my output file is mostly empty, it's like the
variables are not being read properly.

In case the files do not render properly , please see this gist ->
https://gist.github.com/linickx/8002981

I have built a clean fedora 19 box which ships with syslog-ng-3.4.6-1.

My /etc/syslog-ng/syslog-ng conf looks like:

<PASTE>
@version:3.2

# Default options copied from distribution
options {

        flush_lines (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_dns (no);
        use_fqdn (no);
        create_dirs (yes);
        keep_hostname (yes);
        owner("nick");
        group("nick");
        perm(0640);
};

source test_logfile {
        file("/home/nick/testfile.log");
};

parser test_pattern {
            db_parser(
                file("/home/nick/example.xml")
            );
        };

destination test_output {
        file("/home/nick/output.log"
                template("${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS}; \n")
                template_escape(no)
        );
};

log { source (test_logfile); parser(test_pattern); destination (test_output); };
</PASTE>

The /home/nick/example.xml looks like

<PASTE>
<patterndb version='4' pub_date='2010-10-17'>
    <ruleset name='ssh' id='123456678'>
        <pattern>ssh</pattern>
            <rules>
                <rule provider='me' id='182437592347598' class='system'>
                    <patterns>
                        <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @
for at QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port
@NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
                    </patterns>
                    <examples>
                        <example>
                            <test_message>Accepted password for
sampleuser from 10.50.0.247 port 42156 ssh2</test_message>
                            <test_values>
                                <test_value
name="SSH.AUTH_METHOD">password</test_value>
                                <test_value
name="SSH_USERNAME">sampleuser</test_value>
                                <test_value
name="SSH_CLIENT_ADDRESS">10.50.0.247</test_value>
                                <test_value
name="SSH_PORT_NUMBER">42156</test_value>
                            </test_values>
                       </example>
                    </examples>
                </rule>
            </rules>
    </ruleset>
</patterndb>
</PASTE>

For /home/nick/testfile.log I have used

<PASTE>
Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2
Accepted password for user from 10.51.0.27 port 4256 ssh2
</PASTE>

after starting syslog-ng I get the following in /home/nick/output.log

PASTE
; ;
; ;
</PASTE>

Any pointers on what I'm doing wrong would be very much appreciated.

This is a cross-post from
http://communities.balabit.com/balabit/topics/please_help_me_get_patterndb_working,
apologies if this offends, the balabit.com website is not clear on
where the most active community can be found.

Thanks in Advance,
Nick


[1] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/html/reference_patterndb_schemes.html#patterndb-schema-context-scope

[2] http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html/configuring-pattern-databases.html


More information about the syslog-ng mailing list