Correlação de log com syslog-ng patterndb

tag-icon tag-icon linux logging syslog
Correlação de log com syslog-ng patterndb

Estou tentando brincar com syslog-ng e patterndb e estou tendo problemas com a correlação de log. A documentação sobre como fazer isso está aqui:https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/73

Meu problema é que ${MACRO}@ não está funcionando no meu teste. Estou usando o caso de teste da documentação sobre sessões ssh (obtenha a duração da sessão ssh em 2 linhas de log). Aqui está minha configuração:

syslog-ng --versão

syslog-ng 3 (3.20.1)
Config version: 3.20
Installer-Version: 3.20.1
Revision: 3.20.1-1
Compile-Date: Feb 26 2019 15:16:58
Module-Directory: /usr/lib/syslog-ng/3.20
Module-Path: /usr/lib/syslog-ng/3.20
Include-Path: /usr/share/syslog-ng/include
Error opening plugin module; module='mod-java', error='libjvm.so: cannot open shared object file: No such file or directory'
Available-Modules: riemann,pseudofile,geoip-plugin,afmongodb,system-source,linux-kmsg-format,afsql,afprog,mod-python,redis,confgen,disk-buffer,afuser,hook-commands,cryptofuncs,add-contextual-data,afstomp,pacctformat,csvparser,affile,syslogformat,cef,appmodel,basicfuncs,tfgetent,http,snmptrapd-parser,afsocket,kvformat,geoip2-plugin,dbparser,tags-parser,date,stardate,sdjournal,map-value-pairs,xml,json-plugin,examples,afsmtp,graphite
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

sshd.xml

<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='sshd' id='12345678'>
    <pattern>sshd</pattern>
        <rules>
            <!-- The pattern database rule for the first log message -->
            <rule provider='me' id='12347598' class='system' 
                context-id="ssh_session" context-timeout="86400" 
                context-scope="process">
            <!-- Note the context-id that groups together the
    relevant messages, and the context-timeout value that
    determines how long a new message can be added to the
    context  -->
                <patterns>
                    <pattern>Accepted @ESTRING:SSH.AUTH_METHOD: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ ssh2
                    </pattern>
        <tags><tag>sshd</tag></tags>
                    <!-- This is the actual pattern used to identify
        the log message. The segments between the @
        characters are parsers that recognize the variable
        parts of the message - they can also be used as
        macros.  -->
                </patterns>
            </rule>
            <!-- The pattern database rule for the fourth log message -->
            <rule provider='me' id='12347599' class='system' context-id="ssh_session" context-scope="process" context-timeout="86400">
                <patterns>
                    <pattern>pam_unix(sshd:session): session closed for user @STRING:SSH_USERNAME:@</pattern>
                </patterns>
        <tags><tag>sshd</tag></tags>
                <actions>
                    <action>
                        <message>
                            <values>
                                <!--value name="MESSAGE">
                                    $(context-length) An SSH session for ${SSH_USERNAME}@1 from ${SSH_CLIENT_ADDRESS}@2 closed. Session lasted from ${DATE}@2 to ${DATE}
                                </value-->
                <value name="MESSAGE"> DEBUG: Length: $(context-length), sshusername: ${SSH_USERNAME}, sshusername1: ${SSH_USERNAME}@1, sshusername2: ${SSH_USERNAME}@2, client_address: ${SSH_CLIENT_ADDRESS}, client_address1: ${SSH_CLIENT_ADDRESS}@1, client_address2: ${SSH_CLIENT_ADDRESS}@2, sshportnumber:${SSH_PORT_NUMBER}, sshportnumber1: ${SSH_PORT_NUMBER}@1, MESSAGE0: ${MESSAGE}, MESSAGE1: ${MESSAGE}@1, MESSAGE2: ${MESSAGE}@2, MESSAGE3: ${MESSAGE}@3
            </value>
                            </values>
            <tags><tag>debug</tag></tags>
                        </message>
                    </action>
                </actions>
            </rule>
        </rules>
</ruleset>

syslog-ng.conf

source s_authlog_file {
   file("/var/log/auth.log" follow_freq(10));
};
parser p_patterndb {
    db_parser( file("/var/lib/syslog-ng/sshd.xml") );
};
destination d_debug {
    file("/tmp/debug.log");
};
filter f_debug2 {
    tags("debug")
};
log {
    source(s_authlog_file);
    parser(p_patterndb);
    log{
            filter(f_debug2);
            destination(d_debug2);
    };
};

Esta configuração atual está gravando este tipo de saída no arquivo de depuração: /tmp/debug.log

Apr  1 17:44:34 username sshd[32446]:  DEBUG: Length: 2, sshusername: , sshusername1: user, sshusername2: , client_address: , client_address1: , client_address2: , sshportnumber:, sshportnumber1: , MESSAGE0: , MESSAGE1: pam_unix(sshd:session): session closed for user user, MESSAGE2: , MESSAGE3:

Eu esperava ver a mensagem Senha aceita para uma das mensagens no contexto, mas parece que o contexto é composto apenas por 2 mensagens e uma delas está em branco.

Alguém pode me explicar o que estou fazendo de errado aqui?

Obrigado =)

informação relacionada