如何在 syslog-ng 中使用 patterndb
How to use patterndb in syslog-ng
syslog-ng.conf
https://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/pattern-db
@define logfileName "/apps/syslog-ng/etc/testing.log"
@define Pattern1 ".*Exception.*"
source s_app1.conf { file("`logfileName`" flags(no-parse) follow-freq(1)); };
#Edit here below vars
#InstanceName in each template ( need to start with $HOST.)
#EventName (as numbered ) in each template line.
#change <first section> as required for severity.
#186 -> Critical (critical)
#187 -> Major (error)
#188 -> Minor (warning)
parser pattern_db {
db_parser(
file("/apps/syslog-ng/etc/syslog-ng-patterndb-master/applications/openssh/example.xml")
);
};
parser t_app1.conf_1 {
db_parser(
file("/apps/syslog-ng/etc/syslog-ng-patterndb-master/applications/openssh/example.xml")
);
};
template t_app1.conf_1
{
template ("<186><$ISODATE>[HostName=$HOST][ClassName=Application][InstanceName=$HOST/BoB/app2-l1][EventName=`Pattern1`][LogFileName=`logfileName`][$MSG] ${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS} \n");
template_escape(no);
};
destination d_app1.conf_1 { syslog("10.54.20.98" transport("udp") port(514) template(t_app1.conf_1)); };
filter f_app1.conf_1 { message("`Pattern1`" flags("utf8" "ignore-case") ); };
log { source(s_app1.conf); filter(f_app1.conf_1); destination(d_app1.conf_1); flags(final); };
我的模式数据库xml
example.xml
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version="3" pub_date="2010-04-15">
<ruleset name='ssh' id='123456678'>
<pattern>ssh</pattern>
<rules>
<rule provider='me' id='182437592347598' class='system'>
<patterns>
<pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
</patterns>
<examples>
<example>
<test_message program="ssh">Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2</test_message>
<test_values>
<test_value name="SSH.AUTH_METHOD">password</test_value>
<test_value name="SSH_USERNAME">sampleuser</test_value>
<test_value name="SSH_CLIENT_ADDRESS">10.50.0.247</test_value>
<test_value name="SSH_PORT_NUMBER">42156</test_value>
</test_values>
</example>
</examples>
</rule>
</rules>
</ruleset>
</patterndb>
我正在尝试通过他们的官方博客将 patterndb 与 syslog-ng 一起使用,我能够安装和使用 syslog 但不能安装 patterndb,因为没有安装指南描述如何使用 patterndb.if 任何人在 linux 系统上使用 patterndb 和 syslog 请指导我。
您可以在 official documentation of syslog-ng patterndb 中找到信息。
基本上,你想要create a patterndb file (you can find sample patterndb files on github, and also in this blogpost), and use it in your syslog-ng configuration to parse the log messages。
然后,根据您解析的方式或解析的内容,您可以在目标模板中使用结果,或用于过滤或许多其他用途。
你能描述一下你想解析什么以及为什么要解析吗?
syslog-ng.conf
https://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/pattern-db
@define logfileName "/apps/syslog-ng/etc/testing.log"
@define Pattern1 ".*Exception.*"
source s_app1.conf { file("`logfileName`" flags(no-parse) follow-freq(1)); };
#Edit here below vars
#InstanceName in each template ( need to start with $HOST.)
#EventName (as numbered ) in each template line.
#change <first section> as required for severity.
#186 -> Critical (critical)
#187 -> Major (error)
#188 -> Minor (warning)
parser pattern_db {
db_parser(
file("/apps/syslog-ng/etc/syslog-ng-patterndb-master/applications/openssh/example.xml")
);
};
parser t_app1.conf_1 {
db_parser(
file("/apps/syslog-ng/etc/syslog-ng-patterndb-master/applications/openssh/example.xml")
);
};
template t_app1.conf_1
{
template ("<186><$ISODATE>[HostName=$HOST][ClassName=Application][InstanceName=$HOST/BoB/app2-l1][EventName=`Pattern1`][LogFileName=`logfileName`][$MSG] ${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS} \n");
template_escape(no);
};
destination d_app1.conf_1 { syslog("10.54.20.98" transport("udp") port(514) template(t_app1.conf_1)); };
filter f_app1.conf_1 { message("`Pattern1`" flags("utf8" "ignore-case") ); };
log { source(s_app1.conf); filter(f_app1.conf_1); destination(d_app1.conf_1); flags(final); };
我的模式数据库xml
example.xml
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version="3" pub_date="2010-04-15">
<ruleset name='ssh' id='123456678'>
<pattern>ssh</pattern>
<rules>
<rule provider='me' id='182437592347598' class='system'>
<patterns>
<pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2</pattern>
</patterns>
<examples>
<example>
<test_message program="ssh">Accepted password for sampleuser from 10.50.0.247 port 42156 ssh2</test_message>
<test_values>
<test_value name="SSH.AUTH_METHOD">password</test_value>
<test_value name="SSH_USERNAME">sampleuser</test_value>
<test_value name="SSH_CLIENT_ADDRESS">10.50.0.247</test_value>
<test_value name="SSH_PORT_NUMBER">42156</test_value>
</test_values>
</example>
</examples>
</rule>
</rules>
</ruleset>
</patterndb>
我正在尝试通过他们的官方博客将 patterndb 与 syslog-ng 一起使用,我能够安装和使用 syslog 但不能安装 patterndb,因为没有安装指南描述如何使用 patterndb.if 任何人在 linux 系统上使用 patterndb 和 syslog 请指导我。
您可以在 official documentation of syslog-ng patterndb 中找到信息。
基本上,你想要create a patterndb file (you can find sample patterndb files on github, and also in this blogpost), and use it in your syslog-ng configuration to parse the log messages。
然后,根据您解析的方式或解析的内容,您可以在目标模板中使用结果,或用于过滤或许多其他用途。
你能描述一下你想解析什么以及为什么要解析吗?