syslog-ng 및 Patterndb를 사용하려고 하는데 로그 상관관계에 문제가 있습니다. 이를 수행하는 방법에 대한 문서는 여기에 있습니다.https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/73
내 문제는 ${MACRO}@가 내 테스트에 작동하지 않는다는 것입니다. 나는 ssh 세션 문서의 테스트 사례를 사용하고 있습니다(로그 2줄에서 ssh 세션 기간 가져오기). 내 구성은 다음과 같습니다.
syslog-ng --버전
syslog-ng 3 (3.20.1)
Config version: 3.20
Installer-Version: 3.20.1
Revision: 3.20.1-1
Compile-Date: Feb 26 2019 15:16:58
Module-Directory: /usr/lib/syslog-ng/3.20
Module-Path: /usr/lib/syslog-ng/3.20
Include-Path: /usr/share/syslog-ng/include
Error opening plugin module; module='mod-java', error='libjvm.so: cannot open shared object file: No such file or directory'
Available-Modules: riemann,pseudofile,geoip-plugin,afmongodb,system-source,linux-kmsg-format,afsql,afprog,mod-python,redis,confgen,disk-buffer,afuser,hook-commands,cryptofuncs,add-contextual-data,afstomp,pacctformat,csvparser,affile,syslogformat,cef,appmodel,basicfuncs,tfgetent,http,snmptrapd-parser,afsocket,kvformat,geoip2-plugin,dbparser,tags-parser,date,stardate,sdjournal,map-value-pairs,xml,json-plugin,examples,afsmtp,graphite
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on
SSHD.xml
<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='sshd' id='12345678'>
<pattern>sshd</pattern>
<rules>
<!-- The pattern database rule for the first log message -->
<rule provider='me' id='12347598' class='system'
context-id="ssh_session" context-timeout="86400"
context-scope="process">
<!-- Note the context-id that groups together the
relevant messages, and the context-timeout value that
determines how long a new message can be added to the
context -->
<patterns>
<pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2
</pattern>
<tags><tag>sshd</tag></tags>
<!-- This is the actual pattern used to identify
the log message. The segments between the @
characters are parsers that recognize the variable
parts of the message - they can also be used as
macros. -->
</patterns>
</rule>
<!-- The pattern database rule for the fourth log message -->
<rule provider='me' id='12347599' class='system' context-id="ssh_session" context-scope="process" context-timeout="86400">
<patterns>
<pattern>pam_unix(sshd:session): session closed for user @STRING:SSH_USERNAME:@</pattern>
</patterns>
<tags><tag>sshd</tag></tags>
<actions>
<action>
<message>
<values>
<!--value name="MESSAGE">
$(context-length) An SSH session for ${SSH_USERNAME}@1 from ${SSH_CLIENT_ADDRESS}@2 closed. Session lasted from ${DATE}@2 to ${DATE}
</value-->
<value name="MESSAGE"> DEBUG: Length: $(context-length), sshusername: ${SSH_USERNAME}, sshusername1: ${SSH_USERNAME}@1, sshusername2: ${SSH_USERNAME}@2, client_address: ${SSH_CLIENT_ADDRESS}, client_address1: ${SSH_CLIENT_ADDRESS}@1, client_address2: ${SSH_CLIENT_ADDRESS}@2, sshportnumber:${SSH_PORT_NUMBER}, sshportnumber1: ${SSH_PORT_NUMBER}@1, MESSAGE0: ${MESSAGE}, MESSAGE1: ${MESSAGE}@1, MESSAGE2: ${MESSAGE}@2, MESSAGE3: ${MESSAGE}@3
</value>
</values>
<tags><tag>debug</tag></tags>
</message>
</action>
</actions>
</rule>
</rules>
</ruleset>
syslog-ng.conf
source s_authlog_file {
file("/var/log/auth.log" follow_freq(10));
};
parser p_patterndb {
db_parser( file("/var/lib/syslog-ng/sshd.xml") );
};
destination d_debug {
file("/tmp/debug.log");
};
filter f_debug2 {
tags("debug")
};
log {
source(s_authlog_file);
parser(p_patterndb);
log{
filter(f_debug2);
destination(d_debug2);
};
};
현재 구성은 디버그 파일에 이러한 종류의 출력을 작성하고 있습니다: /tmp/debug.log
Apr 1 17:44:34 username sshd[32446]: DEBUG: Length: 2, sshusername: , sshusername1: user, sshusername2: , client_address: , client_address1: , client_address2: , sshportnumber:, sshportnumber1: , MESSAGE0: , MESSAGE1: pam_unix(sshd:session): session closed for user user, MESSAGE2: , MESSAGE3:
컨텍스트의 메시지 중 하나에 대해 승인된 비밀번호라는 메시지가 표시될 것으로 예상했지만 컨텍스트는 2개의 메시지로만 구성되어 있고 그 중 하나는 비어 있는 것 같습니다.
누군가 내가 여기서 뭘 잘못하고 있는지 설명해 줄 수 있나요?
감사합니다 =)