[syslog-ng] No PatternDB Matches

Tusa Viktor tusavik at gmail.com
Wed Jul 2 00:11:47 CEST 2014 

Hi Michael!

First, when using pdbtool for testing, you should specify -P "ssh" on
command line, because your rule will only match if the program name is
"ssh". Second, be careful with spaces and line breaks!
Patterndb patterns are very sensitive to white spaces and line breaks, if
the log is a single line one, then your pattern shouldn't have any line
break. In your case, the problem is with spaces.
In patterndb, there is no need to escape spaces, because they are taken
literally: one space in the pattern means one space matching in the log. So
you should delete the space after the "Accepted" word, and you should
delete an other space and the backslash after "from". With these
modifications, I managed to match the line. So here is my pattern:

<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='ssh' id='123456678'>
   <pattern>ssh</pattern>
     <rules>
        <rule provider='me' id='182437592347598' class='system'>
           <patterns>
              <pattern>Accepted at QSTRING:SSH.AUTH_METHOD:
@for at QSTRING:SSH_USERNAME:
@from at QSTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@
ssh2</pattern>
           </patterns>
         </rule>
     </rules>
   </ruleset>
</patterndb>

And the pdbtool line:

bin/pdbtool match -p /tmp/test.xml -P "ssh" -M "Accepted password for
sampleuser from 10.50.0.247 port 42156 ssh2"

Hope I could help you.

Best Regards,
Viktor


On Tue, Jul 1, 2014 at 11:49 PM, Michael Starks <
syslog-ng-list at michaelstarks.com> wrote:

> x-posted from ELSA mailing list; no replies there so please excuse the
> noise.
>
> I am trying to add an additional ASA log message that is unclassified in
> ELSA. To make a long story short, *nothing" seems to be matching with
> pdbtool. Here is the line I am trying to work with:
>
> Jun 23 00:00:05 192.168.1.4 %ASA-3-106100: access-list INOUT denied tcp
> inside/1.2.3.4(64576) -> outside/5.6.7.8(80) hit-cnt 1 first hit
> [0x59bca63e, 0x620e5b55]
>
> Putting that aside for the moment since I can't get it to work, I went
> straight to the syslog-ng docs
> (
> https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html-single/index.html#chapter-patterndb
> )
> and used the example. I created /etc/elsa/patterns.d/test.xml with this
> content:
>
> <patterndb version='4' pub_date='2010-10-17'>
>      <ruleset name='ssh' id='123456678'>
>          <pattern>ssh</pattern>
>              <rules>
>                  <rule provider='me' id='182437592347598' class='system'>
>                      <patterns>
>                          <pattern>Accepted @QSTRING:SSH.AUTH_METHOD: @
> for at QSTRING:SSH_USERNAME: @from\ @QSTRING:SSH_CLIENT_ADDRESS: @port
> @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
>                      </patterns>
>                  </rule>
>              </rules>
>      </ruleset>
> </patterndb>
>
> I then tested with this line:
>
> /usr/local/syslog-ng/bin/pdbtool match -p /etc/elsa/patterns.d/test.xml
> -M "Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2"
>
> The result is this:
>
> MESSAGE=Accepted password for sampleuser from 10.50.0.247 port 42156
> ssh2
> .classifier.class=unknown
>
> Details are:
>
> [root at hostname elsa]# /usr/local/syslog-ng-3.2.4/sbin/syslog-ng -V
> syslog-ng 3.2.4
> Installer-Version: 3.2.4
> Revision:
> ssh+git://bazsi@git.balabit
> //var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
> Compile-Date: May 23 2012 09:58:14
> Enable-Threads: off
> Enable-Debug: off
> Enable-GProf: off
> Enable-Memtrace: off
> Enable-Sun-STREAMS: off
> Enable-IPv6: on
> Enable-Spoof-Source: off
> Enable-TCP-Wrapper: off
> Enable-SSL: on
> Enable-SQL: off
> Enable-Linux-Caps: on
> Enable-Pcre: on
> Enable-Pacct: off
>
> [root at hostname elsa]# cat /etc/redhat-release
> Oracle Linux Server release 6.5
>
> Thank you in advance.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140702/bffe0e81/attachment.htm

More information about the syslog-ng mailing list