The pattern-db of syslog-ng is extremely convenient to divide individual messages or to highlight specific messages.
As long as a message fits into a certain pattern, it can be marked with a tag that can then be used in the syslog-ng.conf.
For example:
<patterns>
<pattern>Accepted publickey for @STRING:.sys.ssh.user@ from @IPv4:.sys.ssh.ip@ port @NUMBER:.sys.ssh.srcport@</pattern>
</patterns>
<tags>
<tag>ssh</tag>
<tag>user-login</tag>
<tag>security</tag>
</tags>
I will not explain the syntax in detail. That comes in the new year in January.
This marks every message, which contains ‘Accepted publickey for’ if followed by a user and a ip like
Accepted publickey for clamavdb from 194.109.142.194 port 48575 ssh2
In the following in syslog-ng are two variables available:
.sys.ssh.user = clamavdb
.sys.ssh.ip = 194.109.142.194
Additional the message is marked with three tags (ssh, user-login, and security), which can be used inside a filter.:
filter f_sshd { tags("ssh"); };
The destination for ssh-connects:
destination sshd { file("/var/log/ssh/${.sys.ssh.user}"); };
This destination writes al ssh-connects to the directory /var/log/ssh. Inside this dir a log for each user is written. (like /var/log/ssh/root).
Finaly we need a log-statement to write the logs:
log {
source(src);
parser(pattern_db);
filter(f_sshd);
destination(sshd);
};
The pattern-db is a very powerful and flexible tool to create logs and can selectively filter. This is the way also much faster than the CSV parser or more filters in a row.
I place my pattern-db available for download. The documentation is still more than poor, but the files are likely to give a good overview of what it all is possible. For questions, I am happy to help.
pattern-db.tar.bz2