syslog-ngpatterndb와의 로그 상관관계

syslog-ngpatterndb와의 로그 상관관계

syslog-ng 및 Patterndb를 사용하려고 하는데 로그 상관관계에 문제가 있습니다. 이를 수행하는 방법에 대한 문서는 여기에 있습니다.https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/73

내 문제는 ${MACRO}@가 내 테스트에 작동하지 않는다는 것입니다. 나는 ssh 세션 문서의 테스트 사례를 사용하고 있습니다(로그 2줄에서 ssh 세션 기간 가져오기). 내 구성은 다음과 같습니다.

syslog-ng --버전

syslog-ng 3 (3.20.1)
Config version: 3.20
Installer-Version: 3.20.1
Revision: 3.20.1-1
Compile-Date: Feb 26 2019 15:16:58
Module-Directory: /usr/lib/syslog-ng/3.20
Module-Path: /usr/lib/syslog-ng/3.20
Include-Path: /usr/share/syslog-ng/include
Error opening plugin module; module='mod-java', error='libjvm.so: cannot open shared object file: No such file or directory'
Available-Modules: riemann,pseudofile,geoip-plugin,afmongodb,system-source,linux-kmsg-format,afsql,afprog,mod-python,redis,confgen,disk-buffer,afuser,hook-commands,cryptofuncs,add-contextual-data,afstomp,pacctformat,csvparser,affile,syslogformat,cef,appmodel,basicfuncs,tfgetent,http,snmptrapd-parser,afsocket,kvformat,geoip2-plugin,dbparser,tags-parser,date,stardate,sdjournal,map-value-pairs,xml,json-plugin,examples,afsmtp,graphite
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

SSHD.xml

<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='sshd' id='12345678'>
    <pattern>sshd</pattern>
        <rules>
            <!-- The pattern database rule for the first log message -->
            <rule provider='me' id='12347598' class='system' 
                context-id="ssh_session" context-timeout="86400" 
                context-scope="process">
            <!-- Note the context-id that groups together the
    relevant messages, and the context-timeout value that
    determines how long a new message can be added to the
    context  -->
                <patterns>
                    <pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2
                    </pattern>
        <tags><tag>sshd</tag></tags>
                    <!-- This is the actual pattern used to identify
        the log message. The segments between the @
        characters are parsers that recognize the variable
        parts of the message - they can also be used as
        macros.  -->
                </patterns>
            </rule>
            <!-- The pattern database rule for the fourth log message -->
            <rule provider='me' id='12347599' class='system' context-id="ssh_session" context-scope="process" context-timeout="86400">
                <patterns>
                    <pattern>pam_unix(sshd:session): session closed for user @STRING:SSH_USERNAME:@</pattern>
                </patterns>
        <tags><tag>sshd</tag></tags>
                <actions>
                    <action>
                        <message>
                            <values>
                                <!--value name="MESSAGE">
                                    $(context-length) An SSH session for ${SSH_USERNAME}@1 from ${SSH_CLIENT_ADDRESS}@2 closed. Session lasted from ${DATE}@2 to ${DATE}
                                </value-->
                <value name="MESSAGE"> DEBUG: Length: $(context-length), sshusername: ${SSH_USERNAME}, sshusername1: ${SSH_USERNAME}@1, sshusername2: ${SSH_USERNAME}@2, client_address: ${SSH_CLIENT_ADDRESS}, client_address1: ${SSH_CLIENT_ADDRESS}@1, client_address2: ${SSH_CLIENT_ADDRESS}@2, sshportnumber:${SSH_PORT_NUMBER}, sshportnumber1: ${SSH_PORT_NUMBER}@1, MESSAGE0: ${MESSAGE}, MESSAGE1: ${MESSAGE}@1, MESSAGE2: ${MESSAGE}@2, MESSAGE3: ${MESSAGE}@3
            </value>
                            </values>
            <tags><tag>debug</tag></tags>
                        </message>
                    </action>
                </actions>
            </rule>
        </rules>
</ruleset>

syslog-ng.conf

source s_authlog_file {
   file("/var/log/auth.log" follow_freq(10));
};
parser p_patterndb {
    db_parser( file("/var/lib/syslog-ng/sshd.xml") );
};
destination d_debug {
    file("/tmp/debug.log");
};
filter f_debug2 {
    tags("debug")
};
log {
    source(s_authlog_file);
    parser(p_patterndb);
    log{
            filter(f_debug2);
            destination(d_debug2);
    };
};

현재 구성은 디버그 파일에 이러한 종류의 출력을 작성하고 있습니다: /tmp/debug.log

Apr  1 17:44:34 username sshd[32446]:  DEBUG: Length: 2, sshusername: , sshusername1: user, sshusername2: , client_address: , client_address1: , client_address2: , sshportnumber:, sshportnumber1: , MESSAGE0: , MESSAGE1: pam_unix(sshd:session): session closed for user user, MESSAGE2: , MESSAGE3: 

컨텍스트의 메시지 중 하나에 대해 승인된 비밀번호라는 메시지가 표시될 것으로 예상했지만 컨텍스트는 2개의 메시지로만 구성되어 있고 그 중 하나는 비어 있는 것 같습니다.

누군가 내가 여기서 뭘 잘못하고 있는지 설명해 줄 수 있나요?

감사합니다 =)

관련 정보