The first round to collect login/logout messages from sshd is now complete.
You could ask: ok, but what is the immediate benefit? You supposedly have a lot of unprocessed log files, and syslog-ng's db-parser() has not been used to process them, thus they are stored as good-old plain text files.
I spent a couple of hours to add a "grep"-like functionality to pdbtool which makes it easy to process already existing log files, giving you immediate benefit for each and every sample added to patterndb.
For example, if you are interested in login failure events, you could say:
zcat logfile.gz | pdbtool match -p access/sshd.pdb \
--file - \
--filter 'tags("usracct") and match('REJECT' type(string) value("secevt.verdict"));' \
What the command above does is the following:
- reads a compressed logfile from logfile.gz
- tells pdbtool to use access/sshd.pdb (in the patterndb git repo) as its pattern database file
- tells pdbtool to read its stdin as a logfile, and
- apply the db-parser() for each log message
- apply the syslog-ng filter specified above
- and print matching messages using the template also specified above
And imagine we'd have patterns for all common applications running on our computers: this would mean that the same command above would produce login-failure reports independently from the application/OS combination being used.
Try that with grep. :)
This pdbtool is in the OSE 3.2 tree, clone the tree from: git://git.balabit.hu/bazsi/syslog-ng-3.2.git