pattern-database for syslog-ng


The pattern-db of syslog-ng is extremely convenient to divide individual messages or to highlight specific messages.

As long as a message fits into a certain pattern, it can be marked with a tag that can then be used in the syslog-ng.conf.

For example:

<patterns>
<pattern>Accepted publickey for @STRING:.sys.ssh.user@ from @IPv4:.sys.ssh.ip@ port @NUMBER:.sys.ssh.srcport@</pattern>
</patterns>
<tags>
<tag>ssh</tag>
<tag>user-login</tag>
<tag>security</tag>
</tags>


I will not explain the syntax in detail. That comes in the new year in January.

This marks every message, which contains ‘Accepted publickey for’ if followed by a user and a ip like

Accepted publickey for clamavdb from 194.109.142.194 port 48575 ssh2


In the following in syslog-ng are two variables available:

.sys.ssh.user = clamavdb
.sys.ssh.ip = 194.109.142.194


Additional the message is marked with three tags (ssh, user-login, and security), which can be used inside a filter.:

filter f_sshd { tags("ssh"); };


The destination for ssh-connects:

destination sshd { file("/var/log/ssh/${.sys.ssh.user}"); };


This destination writes al ssh-connects to the directory /var/log/ssh. Inside this dir a log for each user is written. (like /var/log/ssh/root).

Finaly we need a log-statement to write the logs:

log {
source(src);
parser(pattern_db);
filter(f_sshd);
destination(sshd);
};


The pattern-db is a very powerful and flexible tool to create logs and can selectively filter. This is the way also much faster than the CSV parser or more filters in a row.

I place my pattern-db available for download. The documentation is still more than poor, but the files are likely to give a good overview of what it all is possible. For questions, I am happy to help.
pattern-db.tar.bz2

Leave a comment

Your email address will not be published. Required fields are marked *