Protokollkorrelation mit syslog-ng patterndb

tag-icon tag-icon linux logging syslog
Protokollkorrelation mit syslog-ng patterndb

Ich versuche, mit syslog-ng und patterndb zu spielen, und habe Probleme mit der Protokollkorrelation. Die Dokumentation dazu finden Sie hier:https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/73

Mein Problem ist, dass ${MACRO}@ bei meinem Test nicht funktioniert. Ich verwende den Testfall aus der Dokumentation zu SSH-Sitzungen (Dauer der SSH-Sitzung aus 2 Protokollzeilen ermitteln). Hier ist meine Konfiguration:

syslog-ng --version

syslog-ng 3 (3.20.1)
Config version: 3.20
Installer-Version: 3.20.1
Revision: 3.20.1-1
Compile-Date: Feb 26 2019 15:16:58
Module-Directory: /usr/lib/syslog-ng/3.20
Module-Path: /usr/lib/syslog-ng/3.20
Include-Path: /usr/share/syslog-ng/include
Error opening plugin module; module='mod-java', error='libjvm.so: cannot open shared object file: No such file or directory'
Available-Modules: riemann,pseudofile,geoip-plugin,afmongodb,system-source,linux-kmsg-format,afsql,afprog,mod-python,redis,confgen,disk-buffer,afuser,hook-commands,cryptofuncs,add-contextual-data,afstomp,pacctformat,csvparser,affile,syslogformat,cef,appmodel,basicfuncs,tfgetent,http,snmptrapd-parser,afsocket,kvformat,geoip2-plugin,dbparser,tags-parser,date,stardate,sdjournal,map-value-pairs,xml,json-plugin,examples,afsmtp,graphite
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

sshd.xml

<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='sshd' id='12345678'>
    <pattern>sshd</pattern>
        <rules>
            <!-- The pattern database rule for the first log message -->
            <rule provider='me' id='12347598' class='system' 
                context-id="ssh_session" context-timeout="86400" 
                context-scope="process">
            <!-- Note the context-id that groups together the
    relevant messages, and the context-timeout value that
    determines how long a new message can be added to the
    context  -->
                <patterns>
                    <pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2
                    </pattern>
        <tags><tag>sshd</tag></tags>
                    <!-- This is the actual pattern used to identify
        the log message. The segments between the @
        characters are parsers that recognize the variable
        parts of the message - they can also be used as
        macros.  -->
                </patterns>
            </rule>
            <!-- The pattern database rule for the fourth log message -->
            <rule provider='me' id='12347599' class='system' context-id="ssh_session" context-scope="process" context-timeout="86400">
                <patterns>
                    <pattern>pam_unix(sshd:session): session closed for user @STRING:SSH_USERNAME:@</pattern>
                </patterns>
        <tags><tag>sshd</tag></tags>
                <actions>
                    <action>
                        <message>
                            <values>
                                <!--value name="MESSAGE">
                                    $(context-length) An SSH session for ${SSH_USERNAME}@1 from ${SSH_CLIENT_ADDRESS}@2 closed. Session lasted from ${DATE}@2 to ${DATE}
                                </value-->
                <value name="MESSAGE"> DEBUG: Length: $(context-length), sshusername: ${SSH_USERNAME}, sshusername1: ${SSH_USERNAME}@1, sshusername2: ${SSH_USERNAME}@2, client_address: ${SSH_CLIENT_ADDRESS}, client_address1: ${SSH_CLIENT_ADDRESS}@1, client_address2: ${SSH_CLIENT_ADDRESS}@2, sshportnumber:${SSH_PORT_NUMBER}, sshportnumber1: ${SSH_PORT_NUMBER}@1, MESSAGE0: ${MESSAGE}, MESSAGE1: ${MESSAGE}@1, MESSAGE2: ${MESSAGE}@2, MESSAGE3: ${MESSAGE}@3
            </value>
                            </values>
            <tags><tag>debug</tag></tags>
                        </message>
                    </action>
                </actions>
            </rule>
        </rules>
</ruleset>

syslog-ng.conf

source s_authlog_file {
   file("/var/log/auth.log" follow_freq(10));
};
parser p_patterndb {
    db_parser( file("/var/lib/syslog-ng/sshd.xml") );
};
destination d_debug {
    file("/tmp/debug.log");
};
filter f_debug2 {
    tags("debug")
};
log {
    source(s_authlog_file);
    parser(p_patterndb);
    log{
            filter(f_debug2);
            destination(d_debug2);
    };
};

Diese aktuelle Konfiguration schreibt diese Art von Ausgabe in die Debugdatei: /tmp/debug.log

Apr  1 17:44:34 username sshd[32446]:  DEBUG: Length: 2, sshusername: , sshusername1: user, sshusername2: , client_address: , client_address1: , client_address2: , sshportnumber:, sshportnumber1: , MESSAGE0: , MESSAGE1: pam_unix(sshd:session): session closed for user user, MESSAGE2: , MESSAGE3:

Ich hatte erwartet, für eine der Nachrichten im Kontext die Meldung „Passwort akzeptiert“ zu sehen, es scheint jedoch, dass der Kontext nur aus zwei Nachrichten besteht und eine davon leer ist.

Kann mir jemand erklären, was ich hier falsch mache?

Danke =)

verwandte Informationen