[syslog-ng] Create Pattern-DB rules

Justin Kala justinkala at gmail.com
Tue Sep 30 21:59:39 CEST 2014


True..
How can I chop that content and pass it to the db-parser??
Also how to handle different values like if authentication method can be
password, public key, none, keyboard interactive. How do I put the values
in the pattern-db rule.do I keep adding them in example tag of the rule..

Thankyou very much for the quick response.

I m a trying to get onboard :)
On Sep 30, 2014 3:34 PM, "Fabien Wernli" <wernli at in2p3.fr> wrote:

> Hi again,
>
> On Tue, Sep 30, 2014 at 03:04:32PM -0400, Justin Kala wrote:
> > example: what to put in place of timezone ,hostname, program etc.
> > especially this part "2014-09-28T14:12:44-04:00 abcdef01-app/abcdef01-app
> > sshd[11019]: [ID 800047
> > > auth.notice] " rest of the message is written in the example you
> provided
>
> First things first, you shouldn't need to worry about date, host and
> program: they are automatically being parsed by syslog-ng and cast
> respectively into the macros $DATE, $HOST, and $PROGRAM. The latter is
> being used by patterndb to separate rulesets. So in
> your example, $PROGRAM=sshd, $MSG=[ID 800047 auth.notice] ...
>
> Secondly, if I were you, I wouldn't touch the patterndb: I'd rather rewrite
> all messages to drop the annoying prefix, and only then pass the result to
> the dbparser.
>
> If you don't know how to do that, I can be of further assistance :-)
>
> cheers
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140930/a5c375c3/attachment.htm 


More information about the syslog-ng mailing list