pattern-database for syslog-ng

The pattern-db of syslog-ng is extremely convenient to divide individual messages or to highlight specific messages.

As long as a message fits into a certain pattern, it can be marked with a tag that can then be used in the syslog-ng.conf.

For example:

<pattern>Accepted publickey for @STRING:.sys.ssh.user@ from @IPv4:.sys.ssh.ip@ port @NUMBER:.sys.ssh.srcport@</pattern>

I will not explain the syntax in detail. That comes in the new year in January.

This marks every message, which contains ‘Accepted publickey for’ if followed by a user and a ip like

Accepted publickey for clamavdb from port 48575 ssh2

In the following in syslog-ng are two variables available:

.sys.ssh.user = clamavdb
.sys.ssh.ip =

Additional the message is marked with three tags (ssh, user-login, and security), which can be used inside a filter.:

filter f_sshd { tags("ssh"); };

The destination for ssh-connects:

destination sshd { file("/var/log/ssh/${.sys.ssh.user}"); };

This destination writes al ssh-connects to the directory /var/log/ssh. Inside this dir a log for each user is written. (like /var/log/ssh/root).

Finaly we need a log-statement to write the logs:

log {

The pattern-db is a very powerful and flexible tool to create logs and can selectively filter. This is the way also much faster than the CSV parser or more filters in a row.

I place my pattern-db available for download. The documentation is still more than poor, but the files are likely to give a good overview of what it all is possible. For questions, I am happy to help.

Leave a comment

Your email address will not be published. Required fields are marked *

I confirm