[syslog-ng] patterndb and smtp to() issue

Alexandre DEPREZ alex at madrouter.com
Wed Jan 20 23:27:41 CET 2016


Hi all,

I'm using the pattern-db to extract values from a firewall's log.

This far, everything's working great.

The log looks something like this:

Jan 20 2016 21:48:45: %ASA-7-746012: user-identity: Add IP-User mapping
10.10.99.7 - LOCAL\alex Succeeded - VPN user

Using pdbtool and matching the log against the xml pattern file, this is
showing me good results :


:$pdbtool match -P "%ASA-7-746012" -M "user-identity: Add IP-User mapping
10.10.99.7 - LOCAL\alex Succeeded - VPN user" -p
/etc/syslog-ng/patterndb.d/vpn-parser-up.xml -D -c
Pattern matching part:
user-identity: Add IP-User mapping @IPv4:VPN_IP=10.10.99.7@ - LOCAL\
@STRING:VPN_USER=alex@ Succeeded - VPN user
Matching part:
user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex Succeeded - VPN
user
Values:
MESSAGE=user-identity: Add IP-User mapping 10.10.99.7 - LOCAL\alex
Succeeded - VPN user
PROGRAM=%ASA-7-746012
.classifier.class=vpn.access_log
.classifier.rule_id=019045a7383c252e57c20435ae5bf86c
VPN_IP=10.10.99.7
VPN_USER=alex
TAGS=


Here's the xml file

<patterndb version='4' pub_date='2015-12-22'>
  <ruleset id='04ba26e756011614c57cf469fed7b5c0' name='%ASA-7-746012'>
    <pattern>%ASA-7-746012</pattern>
     <rules>
      <rule class='vpn.access_log' id='019045a7383c252e57c20435ae5bf86c'
provider='alex'>
        <patterns>
                <pattern>user-identity: Add IP-User mapping @IPv4:VPN_IP@ -
LOCAL\@STRING:VPN_USER@ Succeeded - VPN user</pattern>
        </patterns>
        </rule>
         </rules>
  </ruleset>
</patterndb>


Now, the problem lies on the destination which is using the smtp driver.

destination vpn_mail_up {
        smtp(
                host("x.x.x.x")
                port(25)
                from("alex at x.y" "alex at x.y")
                to("${VPN_USER}@x.y")
                subject("vpn connection")
                body("vpn connection from ${VPN_USER}  with IP:
${VPN_IP}\n")
        );
};

The variable is functional inside the body() but not in the to() field.

Here's a dump I extracted directly from the server on the tcp session to
the mail server:

RCPT.TO:<${VPN_USER}@x.y>..
BDAT.411..
X-Mailer:.syslog-ng.3.5.6..
Date:.Wed,.20.Jan.2016.21:51:51.+0100..
From:.alex at x.y..
Message-Id:.<1453323111.149975.19608 at debian>..
To:."${VPN_USER}@x.y".<${VPN_USER}@x.y>..
Subject:.vpn.connection..
.BDAT.68..vpn.connection.from.alex..with.IP:.10.10.99.7.BDAT.2.LAST..

The variable is being populated in the body message but not the recipient.

Is there any chance the variable could only be used once (!?) or not being
able to be used inside the to() ?

Regards,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160120/b20cb479/attachment.htm 


More information about the syslog-ng mailing list