0

I am trying to make a correlation using patterndb, my requirement is when an exception or a message gets added into a context more than 4 times in 60 secondes a message gets generated.Here is my patterndb xml and syslog configuration file.

example.xml

    <patterndb version='4' pub_date='2010-10-17'>
    <ruleset name='ssh' id='123456678'>
        <pattern>ssh</pattern>
            <rules>
                <rule provider='me' id='182437592347598'  context-id='ssh-login-logout' context-timeout='60' context-scope='process'>
                    <patterns>
                        <pattern>Exception in ssp @ESTRING:SSH_USERNAME:@</pattern>
                    </patterns>
                    <actions>
<action condition='"$(context-length)" >= "4"'>

        <message>
            <values>
                <value name="PROGRAM">event</value>
                <value name="abc">Sending mail now..</value>
            </values>
        </message>
    </action>
    <action condition='"$(context-length)" < "4"'>
        <message>
            <values>
                <value name="PROGRAM">event</value>
                <value name="abc">Sending mail tommrow..</value>
            </values>
        </message>
    </action>

</actions>

                </rule>
            </rules>
    </ruleset>

</patterndb>

app1.conf

    source test_logfile {
        file("/apps/syslog-ng/etc/testfile.log");
};

parser test_pattern{
            db_parser(
                file("/apps/syslog-ng/etc/example.xml")
            );
            };

destination test_output{
        file("/apps/syslog-ng/etc/a.log" template("${abc}\n") template-escape(no));
};

log { source(test_logfile); parser(test_pattern); destination(test_output); flags(final); };

and I am writing this log message into testfile.log

echo "ssh: Exception in ssp java.lang.ClassNotFoundException" >> testfile.log

but I am not getting the required message stored in "abc" into a.log even though writing this message into testfile.log more than 4 times

saurabh kumar
  • 155
  • 5
  • 26
  • Hi, first check if the patterndb actually parses the message. For example, use ${SSH_USERNAME} in the destination template to see if the pattern actually matches. Do you get the "Sending mail now" messages when the context-length is < 4? – Robert Fekete Apr 11 '17 at 06:47
  • i get empty message every time – saurabh kumar Apr 11 '17 at 06:52
  • Ok, remove the parser from the log path, and in the destination, use the ${MESSAGE} as template. Then check the output file, and see if the message in it corresponds to the pattern in the database file. I suspect that you'll have to add the "ssh: " string to the beginning of your pattern. – Robert Fekete Apr 11 '17 at 08:31
  • you mean like this log { source(test_logfile); destination(${MESSAGE} ); flags(final); }; – saurabh kumar Apr 11 '17 at 08:53
  • LIke: log { source(test_logfile); destination( file("/apps/syslog-ng/etc/a.log" template("${MESSAGE}\n") template-escape(no));} – Robert Fekete Apr 11 '17 at 10:28
  • hi robert i have re-writtern the question here https://github.com/balabit/syslog-ng/issues/1430 can you check it out – saurabh kumar Apr 12 '17 at 05:43

0 Answers0