Search code examples
linuxunixsyslogsyslog-ng

How to use patterndb in syslog-ng

syslog-ng.conf

https://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/pattern-db

@define logfileName "/apps/syslog-ng/etc/testing.log"
@define Pattern1 ".*Exception.*"

source s_app1.conf { file("`logfileName`" flags(no-parse)  follow-freq(1)); };

#Edit here below vars
#InstanceName in each template  ( need to start with $HOST.)
#EventName (as numbered ) in each template line. 
#change <first section> as required for severity.
#186 -> Critical (critical)
#187 -> Major    (error)
#188 -> Minor    (warning)

parser pattern_db {
            db_parser(
                file("/apps/syslog-ng/etc/syslog-ng-patterndb-master/applications/openssh/example.xml")
            );
            };

            parser t_app1.conf_1 {
            db_parser(
                file("/apps/syslog-ng/etc/syslog-ng-patterndb-master/applications/openssh/example.xml")
            );
            };

template t_app1.conf_1
{
    template ("<186><$ISODATE>[HostName=$HOST][ClassName=Application][InstanceName=$HOST/BoB/app2-l1][EventName=`Pattern1`][LogFileName=`logfileName`][$MSG] ${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS} \n");
    template_escape(no);
};
destination d_app1.conf_1 { syslog("10.54.20.98" transport("udp") port(514)  template(t_app1.conf_1)); };



filter f_app1.conf_1 { message("`Pattern1`" flags("utf8" "ignore-case") ); };



log { source(s_app1.conf); filter(f_app1.conf_1); destination(d_app1.conf_1); flags(final); };

my patterndb xml

example.xml

<?xml version='1.0' encoding='UTF-8'?>
<patterndb version="3" pub_date="2010-04-15">
    <ruleset name='ssh' id='123456678'>
        <pattern>ssh</pattern>
            <rules>
                <rule provider='me' id='182437592347598' class='system'>
                    <patterns>
                        <pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
                    </patterns>
                    <examples>
                        <example>
                            <test_message program="ssh">Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2</test_message>
                            <test_values>
                                <test_value name="SSH.AUTH_METHOD">password</test_value>
                                <test_value name="SSH_USERNAME">sampleuser</test_value>
                                <test_value name="SSH_CLIENT_ADDRESS">10.50.0.247</test_value>
                                <test_value name="SSH_PORT_NUMBER">42156</test_value>
                            </test_values>
                       </example>
                    </examples>
                </rule>
            </rules>
    </ruleset>
</patterndb>

I am trying to use patterndb with syslog-ng by going through their offiical blog,i am able to install and use syslog but not patterndb as there is no installation guide which describes how to use patterndb.if anyone has used patterndb with syslog on linux system please guide me.

Solution

  • you can find information in the official documentation of syslog-ng patterndb.

    Basically, you want to create a patterndb file (you can find sample patterndb files on github, and also in this blogpost), and use it in your syslog-ng configuration to parse the log messages.

    Then, depending on how or what you have parsed, you can use the results in your destination template, or for filtering, or many other things.

    Can you describe what and why you'd like to parse?