I'm trying to play with syslog-ng and patterndb and I am having trouble with log correlation. The documentation on how to do it is here : https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/73
My issue is that the ${MACRO}@ is not working for my test. I am using the test case from the documentation on ssh sessions (get ssh session duration from 2 lines of log). Here is my configuration:
syslog-ng --version
syslog-ng 3 (3.20.1)
Config version: 3.20
Installer-Version: 3.20.1
Revision: 3.20.1-1
Compile-Date: Feb 26 2019 15:16:58
Module-Directory: /usr/lib/syslog-ng/3.20
Module-Path: /usr/lib/syslog-ng/3.20
Include-Path: /usr/share/syslog-ng/include
Error opening plugin module; module='mod-java', error='libjvm.so: cannot open shared object file: No such file or directory'
Available-Modules: riemann,pseudofile,geoip-plugin,afmongodb,system-source,linux-kmsg-format,afsql,afprog,mod-python,redis,confgen,disk-buffer,afuser,hook-commands,cryptofuncs,add-contextual-data,afstomp,pacctformat,csvparser,affile,syslogformat,cef,appmodel,basicfuncs,tfgetent,http,snmptrapd-parser,afsocket,kvformat,geoip2-plugin,dbparser,tags-parser,date,stardate,sdjournal,map-value-pairs,xml,json-plugin,examples,afsmtp,graphite
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on
sshd.xml
<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='sshd' id='12345678'>
<pattern>sshd</pattern>
<rules>
<!-- The pattern database rule for the first log message -->
<rule provider='me' id='12347598' class='system'
context-id="ssh_session" context-timeout="86400"
context-scope="process">
<!-- Note the context-id that groups together the
relevant messages, and the context-timeout value that
determines how long a new message can be added to the
context -->
<patterns>
<pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2
</pattern>
<tags><tag>sshd</tag></tags>
<!-- This is the actual pattern used to identify
the log message. The segments between the @
characters are parsers that recognize the variable
parts of the message - they can also be used as
macros. -->
</patterns>
</rule>
<!-- The pattern database rule for the fourth log message -->
<rule provider='me' id='12347599' class='system' context-id="ssh_session" context-scope="process" context-timeout="86400">
<patterns>
<pattern>pam_unix(sshd:session): session closed for user @STRING:SSH_USERNAME:@</pattern>
</patterns>
<tags><tag>sshd</tag></tags>
<actions>
<action>
<message>
<values>
<!--value name="MESSAGE">
$(context-length) An SSH session for ${SSH_USERNAME}@1 from ${SSH_CLIENT_ADDRESS}@2 closed. Session lasted from ${DATE}@2 to ${DATE}
</value-->
<value name="MESSAGE"> DEBUG: Length: $(context-length), sshusername: ${SSH_USERNAME}, sshusername1: ${SSH_USERNAME}@1, sshusername2: ${SSH_USERNAME}@2, client_address: ${SSH_CLIENT_ADDRESS}, client_address1: ${SSH_CLIENT_ADDRESS}@1, client_address2: ${SSH_CLIENT_ADDRESS}@2, sshportnumber:${SSH_PORT_NUMBER}, sshportnumber1: ${SSH_PORT_NUMBER}@1, MESSAGE0: ${MESSAGE}, MESSAGE1: ${MESSAGE}@1, MESSAGE2: ${MESSAGE}@2, MESSAGE3: ${MESSAGE}@3
</value>
</values>
<tags><tag>debug</tag></tags>
</message>
</action>
</actions>
</rule>
</rules>
</ruleset>
syslog-ng.conf
source s_authlog_file {
file("/var/log/auth.log" follow_freq(10));
};
parser p_patterndb {
db_parser( file("/var/lib/syslog-ng/sshd.xml") );
};
destination d_debug {
file("/tmp/debug.log");
};
filter f_debug2 {
tags("debug")
};
log {
source(s_authlog_file);
parser(p_patterndb);
log{
filter(f_debug2);
destination(d_debug2);
};
};
This current configuration is writing this kind of output in the debug file: /tmp/debug.log
Apr 1 17:44:34 username sshd[32446]: DEBUG: Length: 2, sshusername: , sshusername1: user, sshusername2: , client_address: , client_address1: , client_address2: , sshportnumber:, sshportnumber1: , MESSAGE0: , MESSAGE1: pam_unix(sshd:session): session closed for user user, MESSAGE2: , MESSAGE3:
I was expecting to see the message Accepted password for one of the message in the context but it appears that the context is only made of 2 messages and one of them is blank.
Can someone explain to me what I'm doing wrong here?
Thank you =)
