[syslog-ng] Create Pattern-DB rules

Justin Kala justinkala at gmail.com
Thu Oct 2 04:48:44 CEST 2014 

Hi Fabien

I was able to do like you mentioned.

I have another problem now.
my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS
OS..
 is not using patterndb.xml db_parser i configured in syslog-ng.conf. I
chopped off the message id content and the actual message  is sent to
pattern-db parser but all the macro values that are referred from here are
not getting populated in the final log

 <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8"
class="system">
        <patterns>
          <pattern>Failed @STRING:usracct.authmethod@ for
@STRING:usracct.username@ from @IPv4:temp.src_ip@ port
@NUMBER:temp.src_port@ @STRING:usracct.service@</pattern>
        </patterns>
        <examples>
          <example>Failed password for bazsi from 127.0.1.1 port 44637
ssh2</example>
        </examples>
        <values>
          <value name="usracct.type">login</value>
          <value name="usracct.sessionid">$PID</value>
          <value name="usracct.application">$PROGRAM</value>
          <value
name="usracct.device">${temp.src_ip}:${temp.src_port}</value>
          <value name="secevt.verdict">REJECT</value>
        </values>
        <tags>
          <tag>usracct</tag>
          <tag>secevt</tag>
        </tags>
      </rule>


Can you help on this??

Highly appreciate the support and response you been giving

On Wed, Oct 1, 2014 at 7:59 AM, Fabien Wernli <wernli at in2p3.fr> wrote:

> Hi again,
>
> On Tue, Sep 30, 2014 at 03:59:39PM -0400, Justin Kala wrote:
> > How can I chop that content and pass it to the db-parser??
>
> There's multiple ways I can think of: using rewrite rules or a dedicated
> parser. The way I do it in production for a similar use case, is using a
> csv-parser. If your syslog-ng version allows it, I'd highly recommend
> putting the parser inside your source definition. That way you'll be able
> to
> remove the parser once you don't need it anymore (after fixing the Solaris
> config). Here's an untested snippet for you that should help you progress:
>
>   source s_solaris {
>     channel {
>       source {
>         network(
>           transport(udp)
>           port(514)
>           flags(syslog-protocol)
>         );
>       };
>       parser (p_drop_msgid);
>     };
>   };
>
>   parser p_drop_msgid {
>     csv_parser(
>       columns(
>         "dropme"
>         "MESSAGE"
>       )
>       delimiters(" ")
>       flags(greedy)
>       quote-pairs('[]')
>     );
>   };
>
> The csv-parser simply puts the unwanted "[ID 123435 auth.notice]" text into
> macro ${dropme}, and the rest into ${MESSAGE}, which is then used by your
> patterndb parser.
>
> > Also how to handle different values like if authentication method can be
> > password, public key, none, keyboard interactive. How do I put the values
> > in the pattern-db rule.do I keep adding them in example tag of the rule..
>
> That's already being handled in one of the pdb files on github [1].
>
> [1]
> https://github.com/balabit/syslog-ng-patterndb/blob/master/access/sshd.pdb
>
> Cheers
>
>


-- 
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20141001/d0d697ef/attachment.htm

More information about the syslog-ng mailing list