[syslog-ng] Please help getting patterndb working.

Nick linickx at gmail.com
Thu Dec 19 18:25:06 CET 2013 

Hello,

Apologies - I thought I had closed this thread :-/

I've just realised that when I use Fabien's example in syslog-ng the
output file is still empty.

I've updated the https://gist.github.com/linickx/8002981 in case the
text below doesn't render.

example.xml is now the correct version...

[nick at localhost ~]$ pdbtool test --validate example.xml
example.xml validates
Testing message program='ssh' message='Accepted password for
sampleuser from 10.50.0.247 port 42156 ssh2'
[nick at localhost ~]$

The syslog-ng.conf is the same
(https://gist.github.com/linickx/8002981#file-syslog-ng-conf) and the
net result is the output is still the same
(https://gist.github.com/linickx/8002981#file-output-log)

Following the previous 'pdbtool match' ... I get the following?

[nick at localhost ~]$ pdbtool match -p example.xml -f testfile.log
--template "${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS}; \n"
; ;
; ;
[nick at localhost ~]$ pdbtool match -p example.xml -f testfile.log
--template "${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS}; \n" -D -v
Module loaded and initialized successfully; module='syslogformat'
Module loaded and initialized successfully; module='basicfuncs'
Pattern matching part:
password for sampleuser from 10.50.0.247 port 42156 ssh2
Matching part:

Values:
MESSAGE=password for sampleuser from 10.50.0.247 port 42156 ssh2
PROGRAM=Accepted
LEGACY_MSGHDR=Accepted
.classifier.class=unknown
TAGS=.classifier.unknown

Pattern matching part:
password for user from 10.51.0.27 port 4256 ssh2
Matching part:

Values:
MESSAGE=password for user from 10.51.0.27 port 4256 ssh2
PROGRAM=Accepted
LEGACY_MSGHDR=Accepted
.classifier.class=unknown
TAGS=.classifier.unknown

Closing log transport fd; fd='3'
[nick at localhost ~]$


In my syslog-ng.conf or template, how should I be using the variables
defined in the patterndb?

Thanks in Advance,
Nick


On 17 December 2013 12:19, Fabien Wernli <wernli at in2p3.fr> wrote:
> Hi,
>
> On Tue, Dec 17, 2013 at 12:07:41PM +0000, Nick wrote:
>> [1] I have added a program attribute.
>
> Note that the "program" attribute of "test_message" needs to match the
> rule's "pattern" text if you want a match.
>
>> [3] I agree that the pattern is wrong, the output above shows that but
>
> Try the following: https://gist.github.com/faxm0dem/b2c87efb098b4aba1969
>
>> [4] I assume you mean "pdbtool patternize -f testfile.log" ? I'm not
>> sure how that helps...
>
> Actually I meant 'pdbtool match'
>
> Sadly, 'patternize' failed to help me in the past, maybe someone else can
> comment on that.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>



-- 
Shameless plug for google Juice: http://www.linickx.com

More information about the syslog-ng mailing list