[syslog-ng] Create Pattern-DB rules
justinkala at gmail.com
Tue Sep 30 21:59:39 CEST 2014
How can I chop that content and pass it to the db-parser??
Also how to handle different values like if authentication method can be
password, public key, none, keyboard interactive. How do I put the values
in the pattern-db rule.do I keep adding them in example tag of the rule..
Thankyou very much for the quick response.
I m a trying to get onboard :)
On Sep 30, 2014 3:34 PM, "Fabien Wernli" <wernli at in2p3.fr> wrote:
> Hi again,
> On Tue, Sep 30, 2014 at 03:04:32PM -0400, Justin Kala wrote:
> > example: what to put in place of timezone ,hostname, program etc.
> > especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app
> > sshd: [ID 800047
> > > auth.notice] " rest of the message is written in the example you
> First things first, you shouldn't need to worry about date, host and
> program: they are automatically being parsed by syslog-ng and cast
> respectively into the macros $DATE, $HOST, and $PROGRAM. The latter is
> being used by patterndb to separate rulesets. So in
> your example, $PROGRAM=sshd, $MSG=[ID 800047 auth.notice] ...
> Secondly, if I were you, I wouldn't touch the patterndb: I'd rather rewrite
> all messages to drop the annoying prefix, and only then pass the result to
> the dbparser.
> If you don't know how to do that, I can be of further assistance :-)
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the syslog-ng