| Main Archive Page > Month Archives > syslog-ng-users archives |
Re: [syslog-ng] syslog-ng Digest, Vol 80, Issue 33
From: Anup Shetty <anupdshetty_at_nospam>Date: Fri Dec 23 2011 - 11:25:19 GMT
To: syslog-ng@lists.balabit.hu
I cant execute those commands. Here's the error
Unknown command
Syntax: pdbtool <command> [options]
Possible commands are:
match Match a message against the pattern database
dump Dump pattern datebase tree
merge Merge pattern databases
dictionary Dump pattern dictionary
Version
syslog-ng-premium-edition 3.2.1
Installer-Version: 3.2.1
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 22 Dec 2011 13:11:05 -0600
> From: Martin Holste <mcholste@gmail.com>
> Subject: Re: [syslog-ng] Pattern matching.
> To: "Syslog-ng users' and developers' mailing list"
> <syslog-ng@lists.balabit.hu>
> Message-ID:
> <CANpnLHgau7bZrSP2ro0QY=a8ZcJZLyqJgAVegWufDuszOjuCMA@mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> You can also include an example pattern as part of the actual rule like
> this:
>
> <ruleset>
> <program></program>
> <rule id="2">
> <pattern>@ESTRING:user::@ Security Microsoft
> Windows security auditing.: [Success Audit] A computer account was
> changed. Subject: Security ID: S-1-5-7 Account Name:
> ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x3e6
> Computer Account That Was Changed: Security ID: @ESTRING::
> @Account Name: @ESTRING:ACC_NAME: @ Account Domain: WW002
> Changed Attributes: SAM Account Name: - Display Name: - User
> Principal Name: - Home Directory: - Home Drive: - Script Path:
> - Profile Path: - User Workstations: - Password Last Set:
> @ESTRING:: @@ESTRING:: @ Account Expires: - Primary Group ID: -
> AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User
> Account Control: - User Parameters: - SID History: - Logon
> Hours: - DNS Host Name: - Service Principal Names: -
> Additional Information: Privileges: - (EventID 4742)</pattern>
> <examples>
> <example>
> <test_message
> program="Microsoft_Windows_security_auditing.[5784]">: Security
> Microsoft Windows security auditing.: [Success Audit] A computer
> account was changed. Subject: Security ID: S-1-5-7 Account
> Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID:
> 0x3e6 Computer Account That Was Changed: Security ID:
> S-1-5-21-776561741-789336058-725345543-305444 Account Name: User1$
> Account Domain: TEST Changed Attributes: SAM Account Name: -
> Display Name: - User Principal Name: - Home Directory: - Home
> Drive: - Script Path: - Profile Path: - User Workstations: -
> Password Last Set: 12/22/2011 3:38:32 AM Account Expires: -
> Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New
> UAC Value: - User Account Control: - User Parameters: - SID
> History: - Logon Hours: - DNS Host Name: - Service Principal
> Names: - Additional Information: Privileges: - (EventID
> 4742)</test_message>
> <test_value
> name="ACC_NAME">User1$</test_value>
> </example>
> </examples>
> </rule>
> </ruleset>
>
> Then you can test it more easily like this:
> pdbtool test patterndb.xml
>
> On Thu, Dec 22, 2011 at 8:04 AM, Balazs Scheidler <bazsi@balabit.hu>
> wrote:
> > On Thu, 2011-12-22 at 14:31 +0530, Anup Shetty wrote:
> >> Nope, no luck yet. Still blanks being spit out.
> >>
> >>
> >> Here's the exact extract of the pattern matching and the log:
> >>
> >>
> >> Pattern String
> >> ---------------------------
> >>
> >>
> >> @ESTRING:user::@ Security Microsoft Windows security auditing.:
> >> [Success Audit] A computer account was changed. ? ?Subject: ? Security
> >> ID: ?S-1-5-7 ? Account Name: ?ANONYMOUS LOGON ? Account Domain: ?NT
> >> AUTHORITY ? Logon ID: ?0x3e6 ? ?Computer Account That Was Changed:
> >> Security ID: ?@ESTRING:: ?@Account Name: ? @ESTRING:ACC_NAME: @
> >> Account Domain: ?WW002 ? ?Changed Attributes: ? SAM Account Name: -
> >> Display Name: ?- ? User Principal Name: - ? Home Directory: ?- ? Home
> >> Drive: ?- ? Script Path: ?- ? Profile Path: ?- ? User Workstations: -
> >> Password Last Set: @ESTRING:: @@ESTRING:: @ ? Account Expires: ?-
> >> Primary Group ID: - ? AllowedToDelegateTo: - ? Old UAC Value: ?- ? New
> >> UAC Value: ?- ? User Account Control: - ? User Parameters: - ? SID
> >> History: ?- ? Logon Hours: ?- ? DNS Host Name: ?- ? Service Principal
> >> Names: - ? ?Additional Information: ? Privileges: ?- (EventID 4742)
> >>
> >>
> >> Log
> >> ------------------
> >>
> >>
> >> Dec 22 03:38:32 Server.zoom11.test.net
> >> Microsoft_Windows_security_auditing.[5784]: : Security Microsoft
> >> Windows security auditing.: [Success Audit] A computer account was
> >> changed. ? ?Subject: ? Security ID: ?S-1-5-7 ? Account Name:
> >> ?ANONYMOUS LOGON ? Account Domain: ?NT AUTHORITY ? Logon ID: ?0x3e6
> >> ?Computer Account That Was Changed: ? Security ID:
> >> ?S-1-5-21-776561741-789336058-725345543-305444 ? Account Name: ?User1$
> >> Account Domain: ?TEST ? ?Changed Attributes: ? SAM Account Name: -
> >> Display Name: ?- ? User Principal Name: - ? Home Directory: ?- ? Home
> >> Drive: ?- ? Script Path: ?- ? Profile Path: ?- ? User Workstations: -
> >> Password Last Set: 12/22/2011 3:38:32 AM ? Account Expires: ?-
> >> Primary Group ID: - ? AllowedToDelegateTo: - ? Old UAC Value: ?- ? New
> >> UAC Value: ?- ? User Account Control: - ? User Parameters: - ? SID
> >> History: ?- ? Logon Hours: ?- ? DNS Host Name: ?- ? Service Principal
> >> Names: - ? ?Additional Information: ? Privileges: ?- (EventID 4742)
> >>
> >>
> > "pdbtool match" can be used to test patterns.
> >
> > pdbtool patch -p <path to xml file> -P '<appname>' -M '<msg>' --debug
> --color-out
> >
> > This even colours the output so that the partial matches can be
> > recognized. This is the best way to troubleshoot patterns.
> >
> > --
> > Bazsi
> >
> >
>
-- Thanks and regards, Anup
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq