[syslog-ng] No PatternDB Matches

Tue Jul 1 23:49:45 CEST 2014

x-posted from ELSA mailing list; no replies there so please excuse the 
noise.

I am trying to add an additional ASA log message that is unclassified in 
ELSA. To make a long story short, *nothing" seems to be matching with 
pdbtool. Here is the line I am trying to work with:

Jun 23 00:00:05 192.168.1.4 %ASA-3-106100: access-list INOUT denied tcp 
inside/1.2.3.4(64576) -> outside/5.6.7.8(80) hit-cnt 1 first hit 
[0x59bca63e, 0x620e5b55]

Putting that aside for the moment since I can't get it to work, I went 
straight to the syslog-ng docs 
(https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb) 
and used the example. I created /etc/elsa/patterns.d/test.xml with this 
content:

<patterndb version='4' pub_date='2010-10-17'>
     <ruleset name='ssh' id='123456678'>
         <pattern>ssh</pattern>
             <rules>
                 <rule provider='me' id='182437592347598' class='system'>
                     <patterns>
                         <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @ 
for at QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port 
@NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
                     </patterns>
                 </rule>
             </rules>
     </ruleset>
</patterndb>

I then tested with this line:

/usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml 
-M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"

The result is this:

MESSAGE=Accepted password for sampleuser from 10.50.0.247 port 42156 
ssh2
.classifier.class=unknown

Details are:

[root at hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision: 
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: May 23 2012 09:58:14
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: off
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off

[root at hostname elsa]# cat /etc/redhat-release
Oracle Linux Server release 6.5

Thank you in advance.