[syslog-ng] Create Pattern-DB rules

Fabien Wernli wernli at in2p3.fr
Wed Oct 1 13:59:25 CEST 2014


Hi again,

On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:
> How can I chop that content and pass it to the db-parser??

There's multiple ways I can think of: using rewrite rules or a dedicated
parser. The way I do it in production for a similar use case, is using a
csv-parser. If your syslog-ng version allows it, I'd highly recommend
putting the parser inside your source definition. That way you'll be able to
remove the parser once you don't need it anymore (after fixing the Solaris
config). Here's an untested snippet for you that should help you progress:

  source s_solaris {
    channel {
      source {
        network(
          transport(udp)
          port(514)
          flags(syslog-protocol)
        );
      };
      parser (p_drop_msgid);
    };
  };

  parser p_drop_msgid {
    csv_parser(
      columns(
        "dropme"
        "MESSAGE"
      )
      delimiters(" ")
      flags(greedy)
      quote-pairs('[]')
    );
  };

The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into
macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your
patterndb parser.

> Also how to handle different values like if authentication method can be
> password, public key, none, keyboard interactive. How do I put the values
> in the pattern-db rule.do I keep adding them in example tag of the rule..

That's already being handled in one of the pdb files on github [1].

[1] https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb

Cheers



More information about the syslog-ng mailing list