[syslog-ng] Create Pattern-DB rules

Justin Kala justinkala at gmail.com
Tue Sep 30 21:04:32 CEST 2014 

Thanks Fabien

That was very helpful.I cannot change the format as of now.
Can you provide me the pattern db for the messages sent like what to add in
front of the message
example: what to put in place of timezone ,hostname, program etc.
especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app
sshd[11019]: [ID 800047
> auth.notice] " rest of the message is written in the example you provided

Regards
Kaladhar

On Tue, Sep 30, 2014 at 10:47 AM, Fabien Wernli <wernli at in2p3.fr> wrote:

> Hi Justin,
>
> On Tue, Sep 30, 2014 at 10:29:13AM -0400, Justin Kala wrote:
> > 2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app sshd[11019]: [ID
> 800047
> > auth.notice] Failed password for root from 100.200.255.01 port 54438 ssh2
> > 2014-09-28T14:03:46-04:00 abcdef01-app/abcdef01-app sshd[27420]: [ID
> 800047
> > auth.notice] Failed publickey for root from 100.200.255.02 port 59219
> ssh2
> > 2014-09-28T14:08:28-04:00 abcdef01-app/abcdef01-app sshd[3954]: [ID
> 800047
> > auth.notice] Failed keyboard-interactive for root from 100.200.255.03
> port
> > 65410 ssh2
> > 2014-09-28T14:10:11-04:00 abcdef01-app/abcdef01-app sshd[5222]: [ID
> 293258
> > auth.error] libsldap: Status: 49  Mesg: openConnection: simple bind
> failed
> > - Invalid credentials
>
> As it happens, these rules are already out there on github, you can just
> grab them [1]. That being said, you'll have a slight problem as you seem to
> be logging from Solaris machines, which unfortunately pollute the message
> with a msgid. You can either change the patterndb rules, or disable that
> IMHO useless feature by modifying /kernel/drv/log.conf and optionally
> using 'echo log_msgid/W0 | adb -kw' [2].
>
> Hope this helps
>
> [1] https://github.com/balabit/syslog-ng-patterndb
> [2] http://docs.oracle.com/cd/E19620-01/806-1650/6jau1364v/index.html
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140930/cac90960/attachment.htm

More information about the syslog-ng mailing list