Gentoo Archives: gentoo-security

From: Chris <chris@×××××××××××.net>
To: gentoo-security@l.g.o
Subject: [gentoo-security] prelude-lml and log_prefix_regex
Date: Sat, 15 Oct 2005 08:14:58
Message-Id: 4350B96A.5000506@services-4u.net
In Reply to: RE: [gentoo-security] hosts.{allow,deny} vs. iptables. by "Łukasz C. Jokiel"
Hello listmembers,

i'm setting up a prelude/snort system and so far everything works quite
well, but i have absolutely no clue about regular expressions.
i tried to get it for a few hours now, but damn, this is really hard
stuff... :(
all i need is an expression for setting up the prelude-lml variable:
"log_prefix_regex" with my syslog-ng entries, but i don't get it, so i
thought i might ask if someone with the needed knowledge could help me out.

my logentries look like this:
    2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]:
session opened for user root by (uid=1000)

using this syslog-ng entry:
    template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")

and prelude-lml want's to use this expression to extract the data:
    time-format = "%Y-%m-%dT%H:%M:%S"
    prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+)
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"


all i get using this regex is the following error:
could not match log_prefix_regex against log entry:
2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]: session
opened for user root by (uid=1000)
the time-format was the only thing i could change accordingly and using
date "+%Y-%m-%dT%H:%M:%S" produces the used log-date.

so, if someone could create a working regular expression for me (or
gimme some other help), as slowly my brain begins to smoke while i'm
totally stuck, i would appreciate it very much.

greetings, chris


> >
-- gentoo-security@g.o mailing list