110.9. Pattern Matcher (pm_pattern)
This module makes it possible to execute pattern matching with a pattern database file in XML format. The pm_pattern module has been replaced by an extension module, xm_pattern, which provides nearly identical functionality with the improved flexibility of an extension module.
110.9.1. Configuration
The pm_pattern module accepts the following directives in addition to the common module directives.
- PatternFile
-
This mandatory directive specifies the name of the pattern database file.
110.9.2. Fields
The following fields are used by pm_pattern.
$PatternID(type: integer)-
The ID number of the pattern which matched the message.
$PatternName(type: string)-
The name of the pattern which matched the message.
110.9.3. Examples
This configuration reads BSD Syslog messages from the socket, processes the messages with a pattern file, and then writes them to file in JSON format.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input uds>
Module im_uds
UDS /dev/log
Exec parse_syslog_bsd();
</Input>
<Processor pattern>
Module pm_pattern
PatternFile /var/lib/nxlog/patterndb.xml
</Processor>
<Output file>
Module om_file
File "/var/log/out"
Exec to_json();
</Output>
<Route uds_to_file>
Path uds => pattern => file
</Route>
The following pattern database contains two patterns to match SSH
authentication messages. The patterns are under a group named ssh
which checks whether the $SourceName field is sshd and only tries
to match the patterns if the logs are indeed from sshd. The patterns
both extract AuthMethod, AccountName, and SourceIP4Address from
the log message when the pattern matches the log. Additionally
TaxonomyStatus and TaxonomyAction are set. The second pattern
utilizes the Exec block, which is evaluated
when the pattern matches.
|
Note
|
For this pattern to work, the logs must be parsed with
parse_syslog() prior to
processing by the pm_pattern module (as in the above example),
because it uses the
$SourceName and $Message fields.
|
<?xml version='1.0' encoding='UTF-8'?>
<patterndb>
<created>2010-01-01 01:02:03</created>
<version>42</version>
<group>
<name>ssh</name>
<id>42</id>
<matchfield>
<name>SourceName</name>
<type>exact</type>
<value>sshd</value>
</matchfield>
<pattern>
<id>1</id>
<name>ssh auth success</name>
<matchfield>
<name>Message</name>
<type>regexp</type>
<!-- Accepted publickey for nxlogfan from 192.168.1.1 port 4242 ssh2 -->
<value>^Accepted (\S+) for (\S+) from (\S+) port \d+ ssh2</value>
<capturedfield>
<name>AuthMethod</name>
<type>string</type>
</capturedfield>
<capturedfield>
<name>AccountName</name>
<type>string</type>
</capturedfield>
<capturedfield>
<name>SourceIP4Address</name>
<type>string</type>
</capturedfield>
</matchfield>
<set>
<field>
<name>TaxonomyStatus</name>
<value>success</value>
<type>string</type>
</field>
<field>
<name>TaxonomyAction</name>
<value>authenticate</value>
<type>string</type>
</field>
</set>
</pattern>
<pattern>
<id>2</id>
<name>ssh auth failure</name>
<matchfield>
<name>Message</name>
<type>regexp</type>
<value>^Failed (\S+) for invalid user (\S+) from (\S+) port \d+ ssh2</value>
<capturedfield>
<name>AuthMethod</name>
<type>string</type>
</capturedfield>
<capturedfield>
<name>AccountName</name>
<type>string</type>
</capturedfield>
<capturedfield>
<name>SourceIP4Address</name>
<type>string</type>
</capturedfield>
</matchfield>
<set>
<field>
<name>TaxonomyStatus</name>
<value>failure</value>
<type>string</type>
</field>
<field>
<name>TaxonomyAction</name>
<value>authenticate</value>
<type>string</type>
</field>
</set>
<exec>
$TestField = 'test';
</exec>
<exec>
$TestField = $Testfield + 'value';
</exec>
</pattern>
</group>
</patterndb>