[syslog-ng] Create Pattern-DB rules

Fabien Wernli wernli at in2p3.fr
Tue Sep 30 16:47:57 CEST 2014

Hi Justin,

On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:
> 2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID 800047
> auth.notice] Failed password for root from port 54438 ssh2
> 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID 800047
> auth.notice] Failed publickey for root from port 59219 ssh2
> 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID 800047
> auth.notice] Failed keyboard-interactive for root from port
> 65410 ssh2
> 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID 293258
> auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind failed
> - Invalid credentials

As it happens, these rules are already out there on github, you can just
grab them [1]. That being said, you'll have a slight problem as you seem to
be logging from Solaris machines, which unfortunately pollute the message
with a msgid. You can either change the patterndb rules, or disable that
IMHO useless feature by modifying /kernel/drv/log.conf and optionally
using 'echo log_msgid/W0 | adb -kw' [2].

Hope this helps

[1] https://github.com/balabit/syslog-ng-patterndb
[2] http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html

More information about the syslog-ng mailing list