[syslog-ng] Create Pattern-DB rules

Justin Kala justinkala at gmail.com
Thu Oct 2 16:38:19 CEST 2014


Hi

This is how I configured and the Final Log Message
parser p_drop_msgid {
     csv_parser(
       columns(
         "dropme",
         "EMSG"
       )
       delimiters("]")
     );
 };

parser pattern_db {
            db_parser(
                file("/test/syslogs/script/parser/patterndb.xml")
            );
            };


destination r_auth  {
file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
owner(root) group(salars) perm(0640)
template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n")
);
 };


log { source (remote); filter (f_auth); parser(p_drop_msgid);
parser(pattern_db);  destination (r_auth); };

Final Log message:
<#|2014 Oct  1 16:07:54|||||[ID 800047 auth.notice] Failed none for abc1234
from 100.200.300.10 port 59301 ssh2||#>

Thanks & Regards

On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli at in2p3.fr> wrote:

> Hi,
>
> On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
> > my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with SOLARIS
> > OS..
> >  is not using patterndb.xml db_parser i configured in syslog-ng.conf. I
> > chopped off the message id content and the actual message  is sent to
> > pattern-db parser but all the macro values that are referred from here
> are
> > not getting populated in the final log
>
> Can you elaborate on the nature of "the final log"?
> If you're simply using a file destination with default template, you won't
> see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and
> $MSG are shown. You need to explicitly do that in the template format.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20141002/7a4c7c7a/attachment.htm 


More information about the syslog-ng mailing list