[syslog-ng] Create Pattern-DB rules

Justin Kala justinkala at gmail.com
Thu Oct 2 22:31:38 CEST 2014 

Fabien


This is the configuration I put and tried to print the classifier.class and
classifier.if from db_parser and got the value as unknow in the log message.

================================================================
log { source (remote); filter (f_auth); parser(p_drop_msgid);
parser(p_tmsgid);  parser(pattern_db);  destination (r_auth); };

#Source
source remote {
                       internal();
                       udp(ip(0.0.0.0) port(514));
                       };

#filter
filter f_auth   { facility (auth,user);   };

#parser01
parser p_drop_msgid {
     csv_parser(
       columns(
         "dropme",
         "EMSG"
       )
       delimiters("]")
     );
 };

#parser02
parser p_tmsgid {
     csv_parser(
       columns(
         "EMSG01"
       )
       delimiters("")
     template("${EMSG}"));
 };

#parser03
parser pattern_db {
            db_parser(
                file("/test/syslogs/script/parser/patterndb.xml")
            );
            };

#template 01
template t_msg_dbparser {template("${.classifier.class}|${.classifier.id}\n");
};


destination r_auth  {
file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
owner(root) group(test) perm(0640)
#template ("<#|${EMSG01}|#>\n")
template (t_msg_dbparser)
);
 };



<?xml version='1.0' encoding='UTF-8'?>
        <patterndb version='3' pub_date='2010-07-13'>
        <ruleset name='sshd' id='12345678'>
        <description>
        This ruleset covers the OpenSSH server.
        </description>
        <url>www.openssh.com</url>
        <pattern>sshd</pattern>
        <rules>
 <rule provider="patterndb" id="aecda233-3d80-48cd-a72b-4896f58069c8"
class="system">
        <patterns>
          <pattern>Failed @STRING:usracct.authmethod@ for
@STRING:usracct.username@ from @IPv4:temp.src_ip@ port
@NUMBER:temp.src_port@ @STRING:usracct.service@</pattern>
        </patterns>
        <examples>
          <example>Failed password for kaladhar from 127.0.1.1 port 44637
ssh2</example>
        </examples>
        <values>
          <value name="usracct.type">login</value>
          <value name="usracct.sessionid">$PID</value>
          <value name="usracct.application">$PROGRAM</value>
          <value
name="usracct.device">${temp.src_ip}:${temp.src_port}</value>
          <value name="secevt.verdict">REJECT</value>
        </values>
        <tags>
          <tag>usracct</tag>
          <tag>secevt</tag>
        </tags>
</rule>
        </rules>
        </ruleset>
        </patterndb>


For this the log message is :
===========================================================


* cat messagesAuth.2014.10.02.16unknown|unknown|*
===========================================================


Thanks & Regards
Justin Kala

On Thu, Oct 2, 2014 at 10:38 AM, Justin Kala <justinkala at gmail.com> wrote:

> Hi
>
> This is how I configured and the Final Log Message
> parser p_drop_msgid {
>      csv_parser(
>        columns(
>          "dropme",
>          "EMSG"
>        )
>        delimiters("]")
>      );
>  };
>
> parser pattern_db {
>             db_parser(
>                 file("/test/syslogs/script/parser/patterndb.xml")
>             );
>             };
>
>
> destination r_auth  {
> file("/test/syslogs/$FULLHOST_FROM/messagesAuth.$YEAR.$MONTH.$DAY.$HOUR"
> owner(root) group(salars) perm(0640)
>
> template("<#|${S_FULLDATE}|${usracct.type}|${usracct.device}|${usracct.application}|${secevt.verdict}|${EMSG}|${usracct.username}|#>\n")
> );
>  };
>
>
> log { source (remote); filter (f_auth); parser(p_drop_msgid);
> parser(pattern_db);  destination (r_auth); };
>
> Final Log message:
> <#|2014 Oct  1 16:07:54|||||[ID 800047 auth.notice] Failed none for
> abc1234 from 100.200.300.10 port 59301 ssh2||#>
>
> Thanks & Regards
>
> On Thu, Oct 2, 2014 at 3:26 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>
>> Hi,
>>
>> On Wed, Oct 01, 2014 at 10:48:44PM -0400, Justin Kala wrote:
>> > my syslog-ng server (Syslog-ng OSE 3.0.4), this came default with
>> SOLARIS
>> > OS..
>> >  is not using patterndb.xml db_parser i configured in syslog-ng.conf. I
>> > chopped off the message id content and the actual message  is sent to
>> > pattern-db parser but all the macro values that are referred from here
>> are
>> > not getting populated in the final log
>>
>> Can you elaborate on the nature of "the final log"?
>> If you're simply using a file destination with default template, you won't
>> see any of the macros, as by default only $DATE, $HOST, $PROGRAM, $PID and
>> $MSG are shown. You need to explicitly do that in the template format.
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
>
> --
> Kaladhar
>



-- 
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20141002/0cb5bae2/attachment.htm

More information about the syslog-ng mailing list